Security News

Microsoft said today that a Russian hacking group known as Gamaredon has been behind a streak of spear-phishing emails targeting Ukrainian entities and organizations related to Ukrainian affairs since October 2021. Security and threat researchers with the Microsoft Threat Intelligence Center and the Microsoft Digital Security Unit said today that Gamaredon's cyber-espionage campaign is being coordinated out of Crimea, confirming SSU's assessment that the Gamaredon hackers are officers of the Crimean FSB who sided with Russia during the 2014 occupation.

The Russia-linked Gamaredon hacking group attempted to compromise an unnamed Western government entity operating in Ukraine last month amidst ongoing geopolitical tensions between the two countries. Palo Alto Networks' Unit 42 threat intelligence team, in a new report publicized on February 3, said that the phishing attack took place on January 19, adding it "Mapped out three large clusters of their infrastructure used to support different phishing and malware purposes."

Symantec finds evidence of continued Russian hacking campaigns in Ukraine. Security researchers at Symantec have presented what they said is further evidence that the Russian advanced persistent threat hacking team known as Shuckworm has been actively waging a cyber espionage campaign against organizations in Ukraine.

Cybersecurity researchers on Monday said they uncovered evidence of attempted attacks by a Russia-linked hacking operation targeting a Ukrainian entity in July 2021. Broadcom-owned Symantec, in a new report published Monday, attributed the attacks to an actor tracked as Gamaredon, a cyber-espionage collective known to be active since at least 2013.

Latest analysis into the wiper malware that targeted dozens of Ukrainian agencies earlier this month has revealed "Strategic similarities" to NotPetya malware that was unleashed against the country's infrastructure and elsewhere in 2017. The malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the destructive cyber campaign targeting government, non-profit, and information technology entities in the nation, attributing the intrusions to an emerging threat cluster codenamed "DEV-0586.".

The U.S. Treasury Department on Thursday announced sanctions against four current and former Ukrainian government officials for engaging in "Russian government-directed influence activities" in the country, including gathering sensitive information about its critical infrastructure. The agency said the four individuals were involved in different roles as part of a concerted influence campaign to destabilize the nation, while also accusing Russia's national security authority, the Federal Security Service, of recruiting Ukrainians in key positions to create instability.

The U.S. Treasury Department announced today sanctions against Volodymyr Oliynyk, a former Ukrainian official, for collecting and sharing info on critical Ukrainian infrastructure with Russia's Federal Security Service."As in previous Russian incursions into Ukraine, repeated cyber operations against Ukraine's critical infrastructure are part of Russia's hybrid tactics to threaten Ukraine."

Russia is positioned for a hot-war attack on Ukraine that the Biden administration warned could come "At any point" - but the country is already suffering an attack of a different kind. The perpetrators are taking pains to make the attacks look like a ransomware attack, even providing a ransom note.

The coordinated cyberattacks targeting Ukrainian government websites and the deployment of a data-wiper malware called WhisperGate on select government systems are part of a broader wave of malicious activities aimed at sabotaging critical infrastructure in the country. "The attack used vulnerabilities in the site's content management systems and Log4j, as well as compromised accounts of employees of the development company," the SSU said, corroborating prior disclosure from the Ukraine CERT team.

After last week's website defacements, Ukraine is now being targeted by boot record-wiping malware that looks like ransomware but with one crucial difference: there's no recovery method. The malware itself wipes the target Windows system's master boot record, rendering it inoperable, and its main executable is "Often" named stage1.