ukraine - X-Industry - Red Sky Alliance2024-03-28T10:23:53Zhttps://redskyalliance.org/xindustry/feed/tag/ukraineAuchtung !!https://redskyalliance.org/xindustry/auchtung2024-03-06T12:55:00.000Z2024-03-06T12:55:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12397806069,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12397806069,RESIZE_400x{{/staticFileLink}}" width="215" alt="12397806069?profile=RESIZE_400x" /></a>Russia has been accused of attempting to inflame divisions in Germany by publishing an intercepted conversation in which Bundeswehr officials discuss the country’s support for Ukraine, particularly around the supply of Taurus cruise missiles.</p>
<p>The 38-minute conversation, which took place on 19 February 2024, was first published on social media platform Telegram by Margarita Simonyan, the editor-in-chief of RT and a sanctioned propagandist, who said the recording had been provided to her by “comrades in uniform.” The intercepted conversation reportedly took place using Webex, a consumer-grade web conferencing software, rather than on a secured military system.</p>
<p>It features the head of the German air force, LT GEN Ingo Gerhartz, discussing preparations and methods to supply Taurus missiles to Ukraine, and then support the Ukrainian Armed Forces in using the missiles, while observing that the federal Chancellor Olaf Scholz is continuing to block the move.<a href="#_ftn1">[1]</a> Scholz has argued that the air-launched missiles, which have a range of around 500 km, about the distance from Ukraine’s border to Moscow, could escalate the conflict and risk Germany becoming directly involved in the war. The chancellor’s position is a cause of division in his three-party coalition government, with his coalition partners repeatedly arguing in favor of providing the Taurus missiles.</p>
<p>According to the material published by Simonyan, the Bundeswehr has considered several steps to insulate Germany from the repercussions of Ukraine using the cruise missiles, referencing controls that the British and French have in place when supplying their own Storm Shadow and Scalp-EG cruise missiles. Among the claims attributed to Gerhartz were that there were British personnel deployed to Ukraine. The British Ministry of Defense declined to comment on the matter.</p>
<p>It is not clear whether all of the conversation published by Simonyan, who has a history of spreading falsehoods, is authentic. A spokesperson for the German ministry of defense said, "According to our assessment, a conversation in the air force division was intercepted. We are currently unable to say for certain whether changes were made to the recorded or transcribed version that is circulating on social media.”</p>
<p>While the leak is likely to amplify divisions in Berlin and raise embarrassing questions about the security of German military communications, the relatively overt nature of the information operation could potentially encourage solidarity among those being targeted.</p>
<p>Boris Pistorius, Germany’s defense minister, said on 3 March, “The incident is much more than just the interception and publication of a conversation. It is part of an information war that Putin is waging. It is a hybrid disinformation attack. It is about division. It is about undermining our unity.”</p>
<p>Following the leak, the Russian foreign ministry said it “demanded an explanation from Germany” without stating what it was demanding an explanation about.</p>
<p>This article is presented at no charge for educational and informational purposes only.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/german-air-force-conversation-leaked-russia/">https://therecord.media/german-air-force-conversation-leaked-russia/</a></p></div>Wieder - Doppelgängerhttps://redskyalliance.org/xindustry/wieder-doppelganger2024-02-29T17:18:18.000Z2024-02-29T17:18:18.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12390151900,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12390151900,RESIZE_400x{{/staticFileLink}}" alt="12390151900?profile=RESIZE_400x" width="250" /></a>SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by <a href="https://www.disinfo.eu/doppelganger/">Doppelgänger</a>, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics. Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgänger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.</p>
<p>Analysts observed a significant emphasis by Doppelgänger on targeting German audiences. The network’s activities are characterized by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population. Most content seizes every opportunity to criticize the ruling government coalition and its support for Ukraine.<a href="#_ftn1">[1]</a></p>
<p>With Doppelgänger activities intensifying in times of frequent political <a href="https://www.tagesschau.de/inland/deutschlandtrend">shifts</a> in Germany, we suspect that the network’s goal is to erode support for the coalition in light of <a href="https://www.bundeswahlleiterin.de/en/service/wahltermine.html">upcoming</a> European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025. While Sentinel was documenting the Doppelgänger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel <a href="https://www.spiegel.de/politik/deutschland/desinformation-aus-russland-auswaertiges-amt-deckt-pro-russische-kampagne-auf-a-765bb30e-8f76-4606-b7ab-8fb9287a6948">reported</a> on <a href="https://twitter.com/MarcelRosenbach/status/1751950627150704893">overlapping</a> activities, highlighting a growing concern about election interference. In this post, we supplement existing reporting by providing additional technical indicators and insights into Doppelgänger’s tactics and disseminated content, aiming to heighten public awareness of this threat further.</p>
<p>This report focuses on Doppelgänger activities targeting German audiences; a complementary <a href="https://clearskysec.com/dg">report</a> by Clearsky Cyber Security delves into the network’s targeting of Israel, the United States, and Ukraine. The activities we observed closely resemble and partially overlap with those previously reported by <a href="https://go.recordedfuture.com/hubfs/reports/ta-2023-1205.pdf">Recorded Future</a> and <a href="https://scontent-fra3-1.xx.fbcdn.net/v/t39.8562-6/406961197_3573768156197610_1503341237955279091_n.pdf?_nc_cat=105&ccb=1-7&_nc_sid=b8d81d&_nc_ohc=BIsHvhRBy-wAX_oUOUq&_nc_ht=scontent-fra3-1.xx&oh=00_AfDlKig7uDFr-LwWeLt4vOJrrfMYUY0Ry1pmUlnuGFJTZA&oe=65CDB212">Meta</a>, indicating the persistent nature of Doppelgänger.</p>
<p>Sentinel observed Doppelgänger orchestrating an extensive coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgänger propaganda goals and from sites that Doppelgänger itself has created.</p>
<p>Most X accounts discovered as part of our investigation had not been deactivated at the time of writing. To maximize visibility and audience engagement, these accounts participate in coordinated activities, such as regularly posting and reposting content from trendy profiles and engaging with posts from other suspected Doppelgänger-managed accounts. The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption. These stages implement obfuscation and tracking techniques. Coupled with the carefully constructed infrastructure management practices observed Doppelgänger implementing, this underscores the network’s determination to operate without interruptions while effectively tracking the performance of its influence operations.</p>
<p>Redirection Stages - The first-stage websites, which Doppelgänger distributes on X, use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites.</p>
<p><em><a href="{{#staticFileLink}}12391477286,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391477286,RESIZE_584x{{/staticFileLink}}" width="490" alt="12391477286?profile=RESIZE_584x" /></a>First-stage website - The second-stage websites contain text unrelated to the campaign and execute a JavaScript code obfuscated using Base64-encoding.</em></p>
<p><a href="{{#staticFileLink}}12391477901,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391477901,RESIZE_584x{{/staticFileLink}}" width="487" alt="12391477901?profile=RESIZE_584x" /></a>Second-stage website - The JavaScript code samples we analyzed issue a request to ggspace[.]space (reported as part of previous Doppelgaenger campaigns) or sdgqaef[.]site. The request includes tracking information, which is likely a campaign identifier. These are in the format of [country]-[day]-[month]_[domain], where [domain] refers to the domain hosting the destination article (DE-02-01_deintelligenz for an article hosted at deintelligenz[.]com). The IOC table at the end of this post lists some of the observed campaign identifiers.</p>
<p>Second-stage website: Deobfuscated</p>
<p><em><a href="{{#staticFileLink}}12391477855,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391477855,RESIZE_584x{{/staticFileLink}}" width="526" alt="12391477855?profile=RESIZE_584x" /></a>Second-stage website: Deobfuscated JavaScript code</em></p>
<p>In addition, the JavaScript code executed by second-stage websites dynamically loads another JavaScript code provided by ggspace[.]space or sdgqaef[.]site, which implements the logic for generating web content that redirects to a destination article.</p>
<p><em><a href="{{#staticFileLink}}12391479486,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391479486,RESIZE_710x{{/staticFileLink}}" width="613" alt="12391479486?profile=RESIZE_710x" /></a><a href="{{#staticFileLink}}12391479862,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391479862,RESIZE_710x{{/staticFileLink}}" width="626" alt="12391479862?profile=RESIZE_710x" /></a>JavaScript code from sdgqaef[.]site</em></p>
<p>sdgqaef[.]site and ggspace[.]space host at the /admin URL path a login page, which has been <a href="https://go.recordedfuture.com/hubfs/reports/ta-2023-1205.pdf">assessed</a> as of the <a href="https://keitaro.io/en/">Keitaro</a> Tracking System. Doppelganger possibly uses Keitaro to track the effectiveness of its campaigns.</p>
<p><br /> <a href="{{#staticFileLink}}12391480670,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391480670,RESIZE_584x{{/staticFileLink}}" width="438" alt="12391480670?profile=RESIZE_584x" /></a><em>Login page hosted at sdgqaef[.]site</em></p>
<p> </p>
<p>Social Media Activities - Probably in an attempt to increase their visibility, some of the suspected Doppelgänger-managed X accounts we identified regularly post content which does not necessarily contain first-stage websites. In contrast, others remain idle for relatively long periods.</p>
<p><br /> <a href="{{#staticFileLink}}12391481696,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391481696,RESIZE_400x{{/staticFileLink}}" width="383" alt="12391481696?profile=RESIZE_400x" /></a></p>
<p><em><a href="{{#staticFileLink}}12391482073,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391482073,RESIZE_584x{{/staticFileLink}}" width="472" alt="12391482073?profile=RESIZE_584x" /></a>An active and idle suspected Doppelgänger account</em></p>
<p>Analysts observed accounts posting content linking to first-stage sites in multiple languages of the targeted audiences. Further, the Doppelgänger’s account network is probably attempting to increase the engagement metrics of posts that link to first-stage websites in a targeted manner through reposts and views. This becomes evident when these metrics are compared with the metrics of posts by the same accounts that do not link to first-stage websites.</p>
<p><em><a href="{{#staticFileLink}}12391482456,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391482456,RESIZE_400x{{/staticFileLink}}" width="336" alt="12391482456?profile=RESIZE_400x" /></a>Multi-language posts tailored to the targeted audiences</em></p>
<p><em><a href="{{#staticFileLink}}12391482658,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391482658,RESIZE_584x{{/staticFileLink}}" width="532" alt="12391482658?profile=RESIZE_584x" /></a>Engagement metric discrepancies</em></p>
<p>Multiple clusters of suspected Doppelgänger-managed accounts that joined the X platform within the same month were identified. Analysts observed a significant level of coordination in the activities of the accounts within the same cluster, suggesting centralized control. This includes reposting the same content almost simultaneously, typically that of trendy profiles. In addition, engagement metrics of posts that link to first-stage sites by suspected Doppelgänger accounts within the same cluster often have very similar engagement metrics.</p>
<p><br /> <a href="{{#staticFileLink}}12391482872,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391482872,RESIZE_400x{{/staticFileLink}}" width="390" alt="12391482872?profile=RESIZE_400x" /></a></p>
<p><em><a href="{{#staticFileLink}}12391483052,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391483052,RESIZE_584x{{/staticFileLink}}" width="402" alt="12391483052?profile=RESIZE_584x" /></a>Coordinated activities</em></p>
<p><br /> <a href="{{#staticFileLink}}12391482456,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391482456,RESIZE_400x{{/staticFileLink}}" width="336" alt="12391482456?profile=RESIZE_400x" /></a><em>Engagement metric similarities</em></p>
<p>Sentinel’s analysis of the engagement metrics for almost all the accounts we identified revealed a range of reposts between 700 and 2000, with a median value of 883, and a range of views between 613 and 14000, with a median value of 5000.</p>
<p>Propaganda and Disinformation Content - Doppelgänger has been very active in creating websites that host articles for consumption by targeted audiences through the previously described multi-stage approach. There are domains and websites impersonating third-party news outlets, including mimicking their design, structure, and domain names, such as welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic). Sentinel assesses that Doppelgänger has created the rest of the websites we observed with original design and structure and no indications of impersonating established news platforms. In most cases, we observed consistent and regular publishing of new content, with only occasional idle periods lasting a few days. Some of the content consists of a blend of materials sourced from other websites and translated into the languages of the targeted audiences.</p>
<p>A closer look at the custom-built websites indicates that Doppelgänger has been making a fast-paced effort to bring its websites online and start distributing content. For example, some sites include template text or exhibit errors in search functionalities. Furthermore, nearly all of these websites lack a social media presence. They display icons of social media platforms that link to the domains of these platforms rather than specific profiles.</p>
<p><em><a href="{{#staticFileLink}}12391483876,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391483876,RESIZE_710x{{/staticFileLink}}" width="621" alt="12391483876?profile=RESIZE_710x" /></a>Template text (emphasis added)</em></p>
<p>Many custom-built websites have been built and managed using the <a href="https://wordpress.com/en/">WordPress</a> content management system. Some websites displayed status messages in Russian when users performed content searches, and the activity failed with an error indicating the use of Russian-language WordPress components.</p>
<p><br /> <a href="{{#staticFileLink}}12391484277,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391484277,RESIZE_584x{{/staticFileLink}}" width="402" alt="12391484277?profile=RESIZE_584x" /></a><em>WordPress status message translates to “Search for.”</em></p>
<p>The majority of the articles Doppelgänger distributes have a strong anti-government narrative, especially in regard to the government’s support of Ukraine. The article snippets we present below are machine-translated from German into English. An article at arbeitspause[.]org discusses a recent series of <a href="https://www.reuters.com/business/autos-transportation/public-transport-across-germany-disrupted-workers-strike-2024-02-02/">strikes</a> by workers in German public transport demanding better wages and working conditions. The challenges relating to the state of workers in this sector, such as rising living costs due to inflation and shortage of workers, are a pressing concern in Germany that captures the attention of the broader population.</p>
<p><em><a href="{{#staticFileLink}}12391484672,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391484672,RESIZE_710x{{/staticFileLink}}" width="634" alt="12391484672?profile=RESIZE_710x" /></a>Article snippet from arbeitspause[.]org, referencing Scholz, the German chancellor (emphasis added)</em></p>
<p>On a similar note, another article at arbeitspause[.]org focuses on the recent <a href="https://www.theguardian.com/world/2024/jan/15/thousands-tractors-block-berlin-farmers-protest-fuel-subsidy-cuts">strikes</a> by German farmers, which involved the blockade of major roads and were motivated by rising living costs and the government’s plan to phase out agricultural subsidies. Overlapping at times with the strikes in the public transport sectors, the farmers’ strikes have been disrupting mobility and garnered the attention of the population and mass media. Doppelgänger has attempted to capitalize on the momentum by criticizing the government’s plan regarding agricultural subsidies, drawing a connection to the government’s support for Ukraine.</p>
<p><em><a href="{{#staticFileLink}}12391484871,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391484871,RESIZE_710x{{/staticFileLink}}" width="625" alt="12391484871?profile=RESIZE_710x" /></a>Article snippet from arbeitspause[.]org</em></p>
<p>An article at derglaube[.]com focuses on the German immigration policy, which, according to some polls, ranks among the <a href="https://www.thelocal.de/20230908/immigration-and-climate-change-top-list-of-german-voter-concerns">top</a> issues for voters in Germany. The media frequently <a href="https://www.dw.com/en/german-aid-volodymyr-zelenskyys-plan-for-ukrainians/a-68195912">covers</a> <a href="https://www.dw.com/en/german-government-mulls-limiting-migrant-remittances/a-67213316">topics</a> relating to the government’s allocation of funds for immigration-related programs and services. Consistent with typical Doppelgänger practices, the influence operation network uses this opportunity to cast the government in a negative light and introduce its support for Ukraine into the narrative.</p>
<p><em><a href="{{#staticFileLink}}12391485466,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391485466,RESIZE_710x{{/staticFileLink}}" width="638" alt="12391485466?profile=RESIZE_710x" /></a><a href="{{#staticFileLink}}12391488465,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391488465,RESIZE_710x{{/staticFileLink}}" width="617" alt="12391488465?profile=RESIZE_710x" /></a>Article snippet from derglaube[.]com (original emphasis)</em></p>
<p>To blend political-oriented propaganda or disinformation among other topics, some websites host articles covering broader subjects such as health, sports, and culture. Observed were attempts to introduce propaganda even in such articles. For example, an article hosted at miastagebuch[.]com initially discusses headaches from a medical perspective only to later indicate the German government as one of the major causes of headaches.</p>
<p><br /> <a href="{{#staticFileLink}}12391488300,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391488300,RESIZE_400x{{/staticFileLink}}" width="383" alt="12391488300?profile=RESIZE_400x" /></a><em>Anti-government statements in a health-themed article (emphasis added)</em></p>
<p>Doppelgänger also targets Germany through articles published by third-party outlets, such as telepolis[.]de, freiewelt[.]net, overton-magazin[.]de, and deutschlandkurier[.]de. The articles from these outlets that Doppelgänger disseminates focus on both domestic and international topics, some with a strong anti-Western narrative. For instance, an article from overton-magazin[.]de portrays the West as profiteering from the Russo-Ukrainian conflict, while depicting Ukraine as a plaything of Western global players (cit.).</p>
<p><em><a href="{{#staticFileLink}}12391489459,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391489459,RESIZE_710x{{/staticFileLink}}" width="623" alt="12391489459?profile=RESIZE_710x" /></a></em></p>
<p><em>Article snippet from overton-magazin[.]de (emphasis added)</em></p>
<p>Additionally, an article from osthessen-news[.]de highlights factors such as the Ukraine war and inflation as contributors to economic challenges in Germany, prompting medium-sized companies to consider restructuring due to escalating costs. Issues concerning small- and mid-sized companies are particularly relevant to the broader German audience, given their <a href="https://www.bmwk.de/Redaktion/EN/Dossier/sme-policy.html">significant</a> contribution to the country’s economy.</p>
<p><em><a href="{{#staticFileLink}}12391491087,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12391491087,RESIZE_710x{{/staticFileLink}}" width="621" alt="12391491087?profile=RESIZE_710x" /></a></em></p>
<p><em>Article snippet from osthessen-news[.]de</em></p>
<p>Infrastructure - The Doppelgänger infrastructure can be structured into four parts subject to different infrastructure management and control practices, with each part designated to hosting the various entities involved in disseminating content for consumption by targeted audiences: the first-stage and second-stage redirection websites, the servers likely used for monitoring campaign performance (ggspace[.]space and sdgqaef[.]site), and the destination websites.</p>
<p>First- and second-stage websites often shift between hosting providers, such as Hostinger, Global Internet Solutions, and Digital Ocean. The domains of these websites typically have short lifespans, lasting only several days at a time and recurring multiple times over a few years. We observe that Doppelgänger activates the domains briefly during its campaigns before deactivating them.</p>
<p>The domains of the first-stage websites have a diverse range of top-level domains (TLDs), including generic TLDs such as .buzz, .art, .store, .site, and .online, as well as country code TLDs like .co.uk and .br. The domains’ format suggests an automated generation approach involving the creation of subdomains and numerical suffixes:pcrrjx.kredit-money-fun169[.]buzz and yzrhhk.kredit-money-fun202[.]buzz.</p>
<p>This strategy, combined with the frequent rotation between hosting providers and the cyclical nature of the domains, indicates an effort by Doppelgänger to evade detection and tracking of its first-stage infrastructure, which is exposed on social media platforms and, therefore, more likely to be subjected to scrutiny. Doppelgänger does not apply the same domain naming convention to second-stage websites that are not directly exposed to social media platforms.</p>
<p>Playing a central role in Doppelgänger’s campaigns, ggspace[.]space and sdgqaef[.] sites are responsible for redirection and presumably monitoring campaign performance. They are hosted behind a Cloud-based reverse proxy infrastructure, likely implemented as a security measure to obfuscate their true hosting locations. In contrast to the first-stage and second-stage domains, the active periods of these domains typically span several months during Doppelgänger’s campaigns. Many servers hosting the destination websites are managed using cPanel, and some implement geofencing, which restricts traffic to IP addresses from targeted countries. This practice is likely intended to minimize exposure of their infrastructure and content to scrutiny and monitoring by researchers or authorities outside those regions, reducing the likelihood of detecting and investigating Doppelgänger’s activities.</p>
<p>The domains of the majority of these websites were first registered in the first quarter of 2023, and some as early as mid-2022, remaining active as of the time of writing. A smaller subset of domains, such as derglaube[.]com, which we assess with high confidence as being managed by Doppelgänger at this time, have been active for nearly 10 years, with intermittent periods of inactivity lasting a few years at most.</p>
<p>Conclusions - Doppelgänger represents an active instrument of information warfare, characterized by strategically using propaganda and disinformation to influence public opinion. The campaign targeting Germany we discussed in this post is a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and topics of geopolitical and socio-economic significance to shape perceptions.</p>
<p>Sentinel anticipates that Doppelgänger’s activities, targeting Germany and other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years. Doppelgänger will continue innovating its infrastructure and obfuscation tactics to make its activities more challenging to detect and disrupt.</p>
<p>Countering influence operations requires a comprehensive and collaborative approach involving enhancing public awareness and media literacy to identify and resist manipulation alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.</p>
<p>Sentinel will continue to monitor Doppelgänger's activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.</p>
<p><strong>Indicators of Compromise</strong></p>
<p>Due to the extensive volume of observed indicators, Sentinel presents only a selection, including indicators from parallel campaigns targeting France alongside those targeting German audiences.</p>
<p><strong>Domains</strong></p>
<table width="670">
<tbody>
<tr>
<td width="218">
<p><strong>Value</strong></p>
</td>
<td width="419">
<p><strong>Note</strong></p>
</td>
</tr>
<tr>
<td width="218">
<p>09474w.reyt-cre-ad34[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>1wifsq.c-majac-ann4[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>3wk8wa.kariz-good-ad10[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>62ogyy[.]internetbusinesslondon[.]co[.]uk</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>6fmb3r[.]great-cred195[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>allons-y[.]social</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>antiwar[.]com</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>arbeitspause[.]org</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>arizztar[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>bfmtv[.]com</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>bluetoffee-books[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>brennendefrage[.]com</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>buegym.ranking-kariz108[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>contre-attaque[.]net</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>d6egyr.borafazerfestaoficial[.]online</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>deintelligenz[.]com</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>derbayerischelowe[.]info</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>derglaube[.]com</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>derrattenfanger[.]net</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>deutschlandkurier[.]de</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>faridmehdipour[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>faz[.]ltd</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>freeebooktemplates[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>freiewelt[.]net</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>ggspace[.]space</p>
</td>
<td width="419">
<p>Server likely used for monitoring campaign performance</p>
</td>
</tr>
<tr>
<td width="218">
<p>grunehummel[.]com</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>histoireetsociete[.]com</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>hungarianconservative[.]com</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>jungefreiheit[.]de</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>kaputteampel[.]com</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>ledialogue[.]fr</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>legrandsoir[.]info</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>leparisien[.]re</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>lildoxi[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>miastagebuch[.]com</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>mt-secure-bnk[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>nice-credits-list266[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>nw3m7o.samaritana.com[.]br</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>o21obd.reyt-credbest-mx29[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>osthessen-news[.]de</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>overton-magazin[.]de</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>pcrrjx.kredit-money-fun169[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>profesionalvirtual[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>realpeoplesreviews[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>referendud[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>restuapp[.]com</p>
</td>
<td width="419">
<p>Second-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>sbl63p.kredit-money-fun274[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>sdgqaef[.]site</p>
</td>
<td width="419">
<p>Server likely used for monitoring campaign performance</p>
</td>
</tr>
<tr>
<td width="218">
<p>sueddeutsche[.]ltd</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>telepolis[.]de</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>uncut-news[.]ch</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>v5yoaq.chilling[.]lol</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
<tr>
<td width="218">
<p>voltairenet[.]org</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>wanderfalke[.]net</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p>welt[.]pm</p>
</td>
<td width="419">
<p>Doppelgänger-managed destination website</p>
</td>
</tr>
<tr>
<td width="218">
<p><a href="http://www.nachdenkseiten">www.nachdenkseiten</a>[.]de</p>
</td>
<td width="419">
<p>Third-party website whose articles Doppelgänger disseminates</p>
</td>
</tr>
<tr>
<td width="218">
<p>yzrhhk.kredit-money-fun202[.]buzz</p>
</td>
<td width="419">
<p>First-stage website</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Campaign Identifiers</strong></p>
<p>DE-02-01_deintelligenz<br /> DE-09-01_derrattenfanger<br /> DE-13-01_nachdenkseiten_-2<br /> DE-13-01_telepolis_-2<br /> DE-15-11_deutschlandkurier<br /> DE-17-11_jungefreiheit<br /> DE-21-11_freiewelt<br /> DE-23-12-2_arbeitspause<br /> DE-23-12-2_arbeitspause<br /> DE-24-11_grunehummel<br /> DE-25-01_brennendefrage<br /> DE-25-01_derglaube<br /> DE-25-01_welt<br /> DE-27-12_faz<br /> DE-27-12_miastagebuch_-2<br /> DE-27-12_sueddeutsche<br /> DE-29-01_derbayerischelowe<br /> FR-03-02_candidat<br /> FR-03-02_lexomnium_-2<br /> FR-04-02_allons-y<br /> FR-13-01_original<br /> FR-19-01_bfmtv_s<br /> FR-23-12-2_franceeteu<br /> FR-23-12-2_leparisien<br /> FR-25-01_la-sante<br /> FR-26-12_hungarianconservative<br /> FR-26-12_lepoint_-2<br /> FR-26-12_voltairenet<br /> FR-27-12_ledialogue<br /> FR-27-12_lesfrontieres</p>
<p><strong>Suspected Doppelgänger-managed X/Twitter Accounts</strong></p>
<p>AyniyeMcca18343<br /> Brent8332812692<br /> ButzlaffF6068<br /> chareaterc59681<br /> Chris423806<br /> Dan2082135<br /> elasagev1981744<br /> Equinoxevt4<br /> Eric69112331297<br /> Eric81026324555<br /> izaguine65954<br /> jacksanbac66126<br /> Jermaine1384705<br /> Jermaine1384705<br /> Jim388251815042<br /> Joseph673224507<br /> Joseph673224507<br /> Kevin1135109<br /> Kristin1039811<br /> Marc182057<br /> Marc1826509<br /> Mark5768674550<br /> MeadowOf43589<br /> MehetabelW87922<br /> MGlasscock91268<br /> Mike3614071710<br /> MingoGerri92116<br /> MissyVoorh3954<br /> MitchamNis5726<br /> MKarg84246<br /> ModestiaH56404<br /> ModestineF72279<br /> MonteroTer52325<br /> MontesRodi62373<br /> moore_tess5916<br /> MorelockSo28285<br /> MorganMcqu33699<br /> MunroHelen78796<br /> MurdockTip96177<br /> myrta53009<br /> NancyOrona49857<br /> NannySpeer51042<br /> NatalaWelb47593<br /> Natasha90680770<br /> NaylorVida41053<br /> NCraighead92692<br /> NFridley71438<br /> Nikki9265841534<br /> NikoliaE39574<br /> NJean52219<br /> NKuehner28951<br /> OClodfelte8787<br /> of_navy23563<br /> of_novelis81275<br /> OlguinElsy987<br /> Oliver1325592<br /> Omar37785134192<br /> Pam807954589169<br /> PauliHarry9140<br /> PegeenD80598<br /> Pete1192428369<br /> Rayshaw78069964<br /> Rounak1685212<br /> Tim298432442090</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/">https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/</a></p></div>Russia-Linked Hackers at Workhttps://redskyalliance.org/xindustry/russia-linked-hackers-at-work2024-02-27T13:00:00.000Z2024-02-27T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12389946096,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12389946096,RESIZE_400x{{/staticFileLink}}" width="250" alt="12389946096?profile=RESIZE_400x" /></a>Cyber threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited Cross-Site Scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations. According to investigators, these entities are primarily located in Georgia, Poland, and Ukraine and attributed the intrusion set to a threat actor known as Winter Vivern, also known as TA473 and UAC0114. The cybersecurity firm tracks the hacking outfit under Threat Activity Group 70 (TAG-70).<a href="#_ftn1">[1]</a></p>
<p>The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by 04 March 2024 to protect their devices against active threats. Analysts urge other Roundcube Webmail users to take this seriously, too.</p>
<p>Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple devices, and it’s why when you read an email on your laptop, it’s marked as “read” on your phone, too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them are situated in the US and China.</p>
<p>Winter Vivern, whose name is a derivative of the wyvern, is a type of biped dragon with a poisonous tail. The group’s most defining characteristic is its phishing lures, usually documents that mimic legitimate and publicly available records, which drop a malicious payload upon opening. The group has also used false government websites to distribute their malware. Vivern has also been known to copy the homepages of Ukraine and Poland's primary cyber defense agencies. Winter Vivern's exploitation of security flaws in Roundcube and software was previously highlighted by ESET in October 2023, joining other Russia-linked threat actor groups such as APT28, APT29, and Sandworm, known to target email software.</p>
<p>The adversary, active since at least December 2020, has been linked to abusing a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023. The campaign began in October 2023 and continued until the middle of the month to collect intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan government mail servers detected in March 2023.</p>
<p><a href="{{#staticFileLink}}12389946086,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12389946086,RESIZE_400x{{/staticFileLink}}" width="250" alt="12389946086?profile=RESIZE_400x" /></a>TAG70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of government and military organizations.</p>
<p>The attack chains exploit Roundcube flaws to deliver JavaScript payloads designed to exfiltrate user credentials to a command-and-control (C2) server. Investigators found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden. The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects an interest in monitoring Georgia's aspirations for European Union (EU) and NATO membership. </p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/02/russian-linked-hackers-breach-80.html">https://thehackernews.com/2024/02/russian-linked-hackers-breach-80.html</a></p></div>Bangladesh Electionshttps://redskyalliance.org/xindustry/bangladesh-elections2024-01-12T14:55:00.000Z2024-01-12T14:55:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12356665288,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12356665288,RESIZE_400x{{/staticFileLink}}" width="250" alt="12356665288?profile=RESIZE_400x" /></a>An official at the Bangladesh Election Commission has claimed that a cyber-attack “from Ukraine and Germany” caused an election information app to crash as voters went to the polls on 8 January. There has not been an allegation that the incident affected votes in the country, where incumbent Prime Minister Sheikh Hasina secured her fourth straight term in office after a record low turnout, as reported by BBC News.</p>
<p>Hasina, who has held power since 2009, is currently the longest-serving female head of government in the world. Her government has faced criticism from the international community, including the United Nations, amid allegations of human rights abuses and extrajudicial killings. “Her long reign in power has been marked by arrests of opposition leaders, crackdowns on free speech and suppression of dissent,” as Reuters reported.</p>
<p>The country’s main opposition, the Bangladesh Nationalist Party (BNP), boycotted the general election on the grounds that the vote would be rigged. BBC News reported that while official figures for Sunday’s vote put turnout at around 40%, critics have claimed even that figure may be inflated. Bangladesh has about 120 million eligible voters.<a href="#_ftn1">[1]</a></p>
<p>Mohammed Jahangir Alam, the Election Commission’s official secretary, told journalists on Sunday that the election app had been “slowed down from Ukraine and Germany,” without specifying the nature of the cyberattack. “Our team has been working round the clock to fix the issue. Although the app is functioning slowly, it’s still working,” said Alam. The app, Smart Election Management BD, was not essential for voting. It provided “historical and current data on electoral candidates and associate parties” alongside updates on how many votes had been cast.</p>
<p>Although not formally confirmed, the incident as described by Alam may have been a distributed denial of service (DDoS) attack, an unsophisticated type of cyber nuisance that works by flooding targeted network resources with junk requests, making them unreachable.</p>
<p>The nature of the attack was not disclosed; however it is not possible to spoof the source IP address in an application-layer DDoS that is sending HTTP requests to the target server.</p>
<p>Cloudflare, which has historically included Germany and Ukraine among the largest sources of DDoS traffic, although both accounted for far less traffic than China and the United States, said this “usually indicates the presence of botnets operating from within the country's borders.”</p>
<p>Allegations of foreign interference - Prior to the election, both of the main political parties have made claims and counter-claims about foreign states attempting to influence the vote. Thousands of BNP activists have been arrested following rallies that turned violent, something which the party alleged was instigated by government provocateurs. Arrest warrants are outstanding for many of the party’s senior figures, some of whom live in exile.</p>
<p><a href="{{#staticFileLink}}12356665492,RESIZE_400x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}12356665492,RESIZE_400x{{/staticFileLink}}" width="388" alt="12356665492?profile=RESIZE_400x" /></a>The BNP accused Russian foreign ministry spokeswoman Maria Zakharova of interference after she claimed that the party’s rallies were being sponsored by the US government in a bid to secure Bangladesh’s support for the US Indo-Pacific strategy. The chief commissioner at the Bangladesh Election Commission has also alleged that “Western nations, including the US, are trying to influence the course and results of the general elections in Bangladesh.”</p>
<p>Following the 8 January vote, Andrei Shutoff, a Russian election observer, reportedly warned: “In case the USA is not satisfied with the results of the people’s vote, attempts to further destabilize the situation in Bangladesh along the lines of the Arab Spring are likely.”</p>
<p>See Election Integrity: <a href="https://redskyalliance.org/xindustry/beware-of-info-manipulation-tactics-for-2022-midterm-elections">https://redskyalliance.org/xindustry/beware-of-info-manipulation-tactics-for-2022-midterm-elections</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/bangladesh-election-information-app-alleged-cyberattack/">https://therecord.media/bangladesh-election-information-app-alleged-cyberattack/</a></p></div>Kyivstar Warninghttps://redskyalliance.org/xindustry/kyivstar-warning2024-01-08T13:20:00.000Z2024-01-08T13:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12346580278,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12346580278,RESIZE_400x{{/staticFileLink}}" width="250" alt="12346580278?profile=RESIZE_400x" /></a>The mass outage of Ukrainian mobile and internet provider Kyivstar on December 12 last year has now been attributed to the Russian state-sponsored Sandworm group by Ukraine’s Security Service (SBU). The attack resulted in a total outage of the networks provided by Kyivstar, which included several early-warning attack systems and caused a surge in traffic on other network providers in Ukraine as people sought alternative means of connectivity. It has now been determined that the group were lingering inside the Kyivstar network from as early as May 2023.<a href="#_ftn1">[1]</a></p>
<p>A wider warning for NATO - The attack also targeted Kyivstar’s computer networks, deleting the data from thousands of servers and causing widespread long-term damage to the network operators infrastructure. Speaking in an interview, the head of the SBU Illia Vitiuk said that the attack “completely destroyed the core of a telecoms operator. For now, we can say securely, that they were in the system at least since May 2023. I cannot say right now since what time they had ... full access: probably at least since November.”</p>
<p>The head of Counter Adversary Operations at CrowdStrike told media that, “Reports around the destruction of Kyivstar’s virtual infrastructure coincide with reports of air raid sirens in Kiev malfunctioning, as well as payment terminals and multiple banks suffering disruption, and issues reported with payment for public transportation.”</p>
<p>“Since the onset of the conflict, Russian cyber operators have conducted intrusion operations for espionage, information operations, and destructive purposes against Ukrainian targets. An overarching motivation for the adversary is to contribute to psychological operations seeking to degrade, delegitimize, or otherwise influence public trust in state institutions and sectors such as government, energy, transportation and media.”</p>
<p>The attack is suggested to be a part of Russia’s wider hybrid warfare tactics, where the Kremlin’s traditional military attacks are accompanied by cyber and psychological attacks. One such example is Russia’s missile, suicide drone and cyber-attacks targeting Ukraine’s energy infrastructure in the winter of 2022-23 to erode morale and support of Ukraine’s public for the war.</p>
<p>Such attacks highlight the potential dangers posed to NATO from the Kremlin and its affiliated cyber-criminal enterprises. Last year, UK deputy prime minister Oliver Dowden suggested that people should stock up on battery powered radios, torches and first aid kits, listing Russia and cyber-attacks as potential threats to the UK.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.msn.com/en-us/news/world/the-aftermath-of-the-kyivstar-cyber-attack-is-a-warning-for-us-all/ar-AA1mvONt">https://www.msn.com/en-us/news/world/the-aftermath-of-the-kyivstar-cyber-attack-is-a-warning-for-us-all/ar-AA1mvONt</a></p></div>WinRAR 0-Dayhttps://redskyalliance.org/xindustry/winrar-0-day2024-01-04T13:00:00.000Z2024-01-04T13:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12345062692,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12345062692,RESIZE_400x{{/staticFileLink}}" alt="12345062692?profile=RESIZE_400x" width="250" /></a>Cybersecurity researchers at Deep Instinct Lab have revealed a new series of cyberattacks by ‘UAC-0099,’ specifically targeting Ukrainians. These attacks employ common tactics, such as using fabricated court summons to entice targets into executing malicious files.</p>
<p>The group’s activities were initially revealed in May 2023 through the Ukrainian CERT advisory ‘#6710,’ and Deep Instinct has now provided exclusive insights into their latest attack.</p>
<p>According to a blog post from the company, on December 21st, 2023, ‘UAC-0099’ utilized an email scam to impersonate the Lviv city court via the ukr.net email service. The target was a Ukrainian employee working remotely for a company outside Ukraine. The deceptive email contained an executable file created by WinRAR named docx.lnk.<a href="#_ftn1">[1]</a></p>
<p>Although appearing as a regular document, it was an LNK shortcut designed to execute PowerShell with malicious content, decoding two base64 blobs and writing the output into VBS and DOCX files.</p>
<table style="height:87px;width:37.5765%;float:right;" width="37%" cellpadding="6">
<tbody>
<tr>
<td>
<p style="text-align:left;"><strong>The exploited WinRAR vulnerability was a zero-day flaw identified in August 2023 – Despite subsequent patching efforts, unpatched systems remain at risk and continue to be targeted.</strong></p>
</td>
</tr>
</tbody>
</table>
<p>The VBS malware, identified as ‘LonePage’ by CERT-UA, establishes a concealed PowerShell process that communicates with a predefined C2 URL to retrieve a text file. The script verifies the string ‘get-content’ in the text file, subsequently executing the code from the server and saving it as an array of bytes.</p>
<p>The LonePage VBS (VBS) is a potent tool, enabling cybercriminals to infiltrate computers and execute malicious code. Employing a deceptive tactic, it utilizes a DOCX decoy document, tricking victims into believing they are opening a legitimate file. Employing a method akin to the LNK attack vector, the HTA technique involves an HTML file incorporating a VBScript that executes PowerShell with a recurring four-minute task cadence.</p>
<p>In both incidents, the pro-Russian gang exploited a recognized WinRAR vulnerability, designated as CVE-2023-38831 in August 2023, and identified by Group-IB. This vulnerability arises from the way WinRAR processes ZIP files, requiring user interaction with a specially crafted ZIP archive for exploitation.</p>
<p>The attacker crafts a seemingly harmless archive by appending a space after the file extension. This archive contains a folder with an identical name and an extra file bearing a “.cmd” extension.</p>
<p>When a user double-clicks on the innocuous file, the associated “cmd” file is executed instead. This vulnerability heightens the risk of widespread infections, as even security-aware victims may inadvertently run malicious code while opening what appears to be a harmless file.</p>
<p>Researchers have found this gang’s tactics simple yet effective. They rely on PowerShell and create a scheduled task to execute a VBS file. Monitoring/restricting these components can reduce the risk of “UAC-0099” attacks and help identify them quickly in case of compromise.</p>
<p><em><a href="{{#staticFileLink}}12345062682,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12345062682,RESIZE_710x{{/staticFileLink}}" alt="12345062682?profile=RESIZE_710x" width="619" /></a>UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine</em></p>
<p><em>The attack flow (Deep Instinct Lab)</em></p>
<p>This isn’t the first time Russian hackers have exploited known vulnerabilities. In early December, Hackread.com reported how the Russian GRU’s affiliated Forest Blizzard exploited an Outlook vulnerability, allowing attackers to steal Net-NTLMv2 hashes and access user accounts.</p>
<p>On 15 December 2023, reports surfaced that Russian hackers breached a major US biomedical company in a TeamCity-linked attack. Despite the vulnerability, which scored 9.8 on the CVSS scale, being patched in September 2023, unpatched systems remain susceptible to ongoing cyberattacks.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.hackread.com/uac-0099-hackers-winrar-flaw-cyberattack-ukraine/">https://www.hackread.com/uac-0099-hackers-winrar-flaw-cyberattack-ukraine/</a></p></div>Doppelgänger Doubling Downhttps://redskyalliance.org/xindustry/doppelganger-doubling-down2023-12-08T14:00:00.000Z2023-12-08T14:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12309889482,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12309889482,RESIZE_400x{{/staticFileLink}}" width="250" alt="12309889482?profile=RESIZE_400x" /></a>Researchers have tracked more activity by an influence campaign linked to Russia that spreads disinformation and propaganda in the US, Germany and Ukraine through a vast network of social media accounts and fake websites.</p>
<p>The campaign, attributed to the Russia-linked influence operation network called Doppelgänger, has been active since at least May 2022. The US tech company Meta previously referred to Doppelgänger as the “largest” and “most aggressively persistent” malign network sponsored by Russia.<a href="#_ftn1">[1]</a></p>
<p>Researchers are currently tracking over 2,000 inauthentic social media accounts associated with Dopplegänger, but say the actual number could be even higher. According to Insikt, the impact of Doppelgänger's activity on users in Germany, Ukraine, and the US is limited. “Despite the campaign’s high volume, we did not identify any significant engagement from authentic social media users,” researchers said in a report published earlier this week. “Viewership and other engagement metrics reshares, likes, and replies were negligible across the network.”</p>
<p>And yet, Doppelgänger’s activity is worth paying attention to, researchers said, as its operators are constantly improving their tools and tactics and are “willing to invest in extra measures to evade detection.” Meta warned last week that foreign groups are looking to expand their influence operations as 2024 is an important year for elections around the world. Insikt did not specify which social media networks the Doppelgänger operation used.</p>
<p>Fake tales of decline - In the campaign analyzed by Insikt, Doppelgänger focused on three targets: Ukraine, Germany and the US. In an operation against Ukraine, a Russia-linked threat actor created over 800 social media accounts that shared links to fake articles impersonating multiple reputable Ukrainian news organizations. These articles “spread narratives undermining Ukraine’s military strength, political stability, and international relationships with Ukraine’s Western allies.” For example, some of them suggested that the US prioritizes the war in Israel more than the one in Ukraine or sowed doubts about Ukraine’s ability to win the war.</p>
<p>In a campaign that targeted Germany and the US, a Russian network operator created fake news outlets producing propaganda content, which was then shared on social media, the researchers said.</p>
<p>Unlike impersonating existing Western news sources, as commonly seen with Doppelgänger so far, these outlets appear to be an attempt to create seemingly new and original sources, researchers said. “This evolving approach likely aims to establish a long-term influence network by evading detection efforts to identify inauthentic impersonators.”</p>
<p>The campaign’s goal in Germany was to share fake narratives of “Germany’s domestic decline due to migration, economic policies, and continued support for Ukraine,” Insikt said.</p>
<p>In the US, the threat actor promoted hostile articles criticizing the LGBTQ+ movement (which was recently outlawed in Russia) and raised doubts about U.S. military competence. One of the fake websites linked to Doppelgänger produced election-related content, which was likely generated by artificial intelligence (AI). “This campaign likely intends to exploit US societal and political divisions ahead of the 2024 US election,” researchers said.</p>
<p>Kremlin-approved tactics - Influence operations like Doppelgänger are common tactics used by Russia as part of its information warfare.</p>
<p>Doppelgänger was previously linked to two Russian companies: Structura National Technologies and Social Design Agency, whose clients include several Russian government agencies, local government entities, state-owned enterprises and private companies. Both companies were sanctioned by the European Union in August for their involvement in Doppelgänger.</p>
<p>In November, the US government also linked these two entities to a disinformation campaign across Latin America aimed at undermining support for Ukraine and discrediting the US and NATO. </p>
<p>In its previous campaigns, Doppelgänger also targeted the US and seven European countries, with a specific focus on Germany and France. The network’s most common tactic is the impersonation of media outlets or political organizations, such as the French Ministry of Public Affairs, the German Ministry of the Interior, and the North Atlantic Treaty Organization (NATO). </p>
<p>The network’s evolution indicates that it can “have long-term societal impacts,” while the likely use of generative AI to create written content demonstrates “the evolving use of AI in Russian information warfare campaigns. As the popularity of generative AI grows, malign influence actors, including Doppelgänger, will very likely increasingly leverage AI to produce scalable influence content,” researchers said.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We can help provide cyber insurance through Cysurance. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/doppelganger-influence-operation-new-activity/">https://therecord.media/doppelganger-influence-operation-new-activity/</a></p></div>Alfa-Bank Hit on RU Bankhttps://redskyalliance.org/xindustry/alfa-bank-hit-on-ru-bank2023-10-26T16:05:00.000Z2023-10-26T16:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12264247482,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12264247482,RESIZE_400x{{/staticFileLink}}" width="250" alt="12264247482?profile=RESIZE_400x" /></a>Ukrainian hackers collaborated with the country's security services, the SBU, to breach Russia's largest private bank, a source within the department confirmed to Recorded Future News. Last week, two groups of pro-Ukrainian hackers, KibOrg and NLB, hacked into Alfa-Bank and claimed to obtain the data of more than 30 million customers, including their names, dates of birth, account numbers, and phone numbers, according to a post on their official website.</p>
<p>Alfa-Bank was sanctioned by the United States following Russia's invasion of Ukraine last year. The bank is owned by the Russian-Israeli billionaire Mikhail Fridman, who is blacklisted by the US and Europe as part of efforts to impose restrictions on Russia's economy and its wealthiest businessmen. Hackers released some of the data online, including information about Fridman and his son, pro-Russian blogger Artemy Lebedev, and Russian rappers Timati and Basta. Alfa-Bank denied reports of the leak, according to Russian news agency TASS.<a href="#_ftn1">[1]</a></p>
<p>A source within Ukraine's security service who requested anonymity because he is not authorized to speak publicly about the incident confirmed that the Ukrainian agency was involved in the operation, but did not provide further details.</p>
<p>This is not the first time Ukraine's intelligence has collaborated with hacktivists. The head of cybersecurity at the Security Service of Ukraine, Illia Vitiuk, has said previously that documents leaked by Ukrainian hackers play a significant role in the country's cyber intelligence efforts. According to Vitiuk, the leaked data helps Ukraine to find out the Kremlin’s targets in Ukraine, how the enemy’s troops move, and how Russia avoids Western sanctions. “Cyber intelligence helps us to obtain top-secret enemy documents,” Vitiuk said. “In the past, we had to recruit a spy in the enemy's country to get this kind of material, which was risky and time-consuming.”</p>
<p>The hackers who broke into Alfa-Bank said they plan to share the obtained data with investigative journalists. They also claim to have asked Ukrainian YouTube blogger and prankster Evgeniy Volnov to call Fridman and tell him about the hack. The hacktivists published the alleged conversation on their website, in which Fridman supposedly said that he could not do anything about the hack and hung up the phone. Alfa-Bank didn’t respond to request for comment.</p>
<p>Previously, hackers from NLB claimed responsibility for a cyberattack on Russia's MTS Bank and Russia's largest state-owned bank, Sberbank.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/sbu-involved-in-alfa-bank-hack/">https://therecord.media/sbu-involved-in-alfa-bank-hack/</a></p></div>Elon Musk Gets Starshield Contracthttps://redskyalliance.org/xindustry/elon-musk-gets-starshield-contract2023-10-11T16:00:00.000Z2023-10-11T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12253791881,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12253791881,RESIZE_400x{{/staticFileLink}}" width="250" alt="12253791881?profile=RESIZE_400x" /></a>Elon Musk’s SpaceX has received its first contract from the US Space Force to provide customized satellite communications for the military under the company’s new Starshield program, extending the provocative billionaire’s role as a defense contractor.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/starlink-to-the-rescue-1">https://redskyalliance.org/xindustry/starlink-to-the-rescue-1</a></p>
<p>Space Exploration Technologies Corp. is competing with 15 companies, including Viasat Inc., for $900 million in work orders through 2028 under the Space Force’s new “Proliferated Low Earth Orbit” contracts program, which is tapping into communications services of satellites orbiting from 100 miles to 1,000 miles (160 kilometers to 1,600 kilometers) above Earth.<a href="#_ftn1">[1]</a></p>
<p>The Starshield service will be provided over SpaceX’s existing constellation of Starlink communications satellites. The previously undisclosed “task order” adds to SpaceX’s growing portfolio of Pentagon business. That includes its competition against United Launch Alliance, a joint venture of Lockheed Martin Corp. and Boeing Co., to send up national security payloads, as well as a June Pentagon contract of undisclosed value to provide Starlink satellite communications to the Ukraine military and a Falcon 9 launch of 13 satellites this month for the Pentagon’s Space Development Agency.</p>
<p>Musk’s role in Ukraine received criticism after a new biography disclosed that he refused a request from Ukraine’s government to extend Starlink coverage to Russian-held Crimea to assist in a naval drone attack on Russian targets last year. That was before SpaceX was put on contract by the Pentagon to provide Starlink service to Ukraine. But Musk’s decision and moves including his conversations with Russian President Vladimir Putin sparked questions from some lawmakers about his reliability as a Pentagon supplier, including an inquiry being opened by the Senate Armed Services Committee.</p>
<p>“SpaceX is a prime contractor and a critical industry partner for the DoD and the recipient of billions of dollars in taxpayer funding,” a group of Democratic senators said in a letter to Defense Secretary Lloyd Austin. “We are deeply concerned with the ability and willingness of SpaceX to interrupt their service at Mr. Musk’s whim and for the purpose of handcuffing a sovereign country’s self-defense, effectively defending Russian interests.”</p>
<p>SpaceX’s one-year contract for Starshield was awarded 01 September 2023, according to Air Force spokeswoman Ann Stefanek. The contract, with a $70 million ceiling, “provides for Starshield end-to-end service via the Starlink constellation, user terminals, ancillary equipment, network management and other related services,” she said. By 30 September 2023 about $15 million will be obligated to SpaceX with funding that supports 54 “mission partners” across the Army, Navy, Air Force and Coast Guard, she said.</p>
<p>SpaceX did not respond to a request for comment on the new contract. But in a message on Musk’s social media platform X, the former Twitter, on 08 September 2023, he wrote that “SpaceX is building Starshield for the US government, which is similar to, but much smaller than, Starlink, as it will not have to handle millions of users. That system will be owned and controlled by the US government.”</p>
<p>Starshield falls under the SpaceX’s Special Projects group, whose vice president is retired Air Force General Terrence O’Shaughnessy, former head of US Northern Command. He joined the company in October 2000, shortly after he retired from the Air Force, according to a US Ethics in Government filing. Before retiring, he recused himself in May 2020 from any SpaceX dealings, the forms indicate.</p>
<p>The Starshield contract “is for a service” but “how SpaceX or any other company” provides “that service is up to them,” Lieutenant Colonel Omar Villarreal, a Space Force spokesman, said in an email. “I am unable to get into specifics, but requirements were received from the Army, Navy, Air Force, Coast Guard and other outside agencies” and combined, he said.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://archive.is/20230927204826/https://www.bloomberg.com/news/articles/2023-09-27/elon-musk-wins-us-space-force-contract-for-starshield-deepening-pentagon-ties#selection-4845.0-4867.24">https://archive.is/20230927204826/https://www.bloomberg.com/news/articles/2023-09-27/elon-musk-wins-us-space-force-contract-for-starshield-deepening-pentagon-ties#selection-4845.0-4867.24</a></p></div>RomCom at NATOhttps://redskyalliance.org/xindustry/romcom-at-nato2023-07-14T16:00:00.000Z2023-07-14T16:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12148371273,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12148371273,RESIZE_400x{{/staticFileLink}}" width="200" alt="12148371273?profile=RESIZE_400x" /></a>As part of a recently identified cyber operation, the cybersecurity investigators report that a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12. The event takes place in Vilnius, Lithuania. The NATO Summit has on the agenda talks focusing on the war in Ukraine and new memberships in the organization, including Sweden and Ukraine.</p>
<p>RomCom attackers are spoofing trusted software solutions to gain network access. RomCom may be related to the Cuba ransomware and Industry Spy attacks since all three use a similar network configuration link. However, this could also be a distraction for RomCom criminals. Once installed, the RAT can collect information, capture screenshots, and export them to an offsite server.<a href="#_ftn1">[1]</a></p>
<p>Taking advantage of the event, RomCom has created malicious documents likely to be distributed to supporters of Ukraine. It appears to have dry-tested its delivery on 22 June 2023 and a few days before the Command-and-Control (C&C) domain used in the campaign went live. The threat actor likely relied on spear-phishing to distribute one of the malicious documents, relying on an embedded RTF file and OLE objects to initialize an infection chain to harvest system information and deliver the RomCom remote access trojan (RAT).</p>
<p>At one stage in the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina, is exploited for remote code execution (RCE).</p>
<p>According to researchers, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which has been observed connecting to known RomCom infrastructure. Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other collected artifacts, BlackBerry is confident that the RomCom threat actor or members of RomCom is behind the cyber operation.</p>
<p>The nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.</p>
<p>Also tracked as Void Rabisu and Tropical Scorpius and associated with the Cuba ransomware, RomCom was believed to be financially motivated. However, recent campaigns have shown a shift in tactics and motivation, suggesting that the group is likely working for the Russian government.</p>
<p>Since at least October 2022, the threat actor’s RomCom backdoor has been used in attacks targeting Ukraine, including users of Ukraine’s Delta situational awareness program and organizations in Ukraine’s energy and water utility sectors.</p>
<p>Outside Ukraine, RomCom attacks targeted a provincial, local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/russia-linked-romcom-hackers-targeting-nato-summit-guests/">https://www.securityweek.com/russia-linked-romcom-hackers-targeting-nato-summit-guests/</a></p></div>CosmicEnergyhttps://redskyalliance.org/xindustry/cosmicenergy2023-05-30T16:05:00.000Z2023-05-30T16:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11151738884,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11151738884,RESIZE_400x{{/staticFileLink}}" alt="11151738884?profile=RESIZE_400x" width="250" /></a>Researchers have uncovered malware designed to disrupt electric power transmission that may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids.</p>
<p>Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of Russia’s most skilled and cutthroat hacking groups. Sandworm deployed Industroyer in December 2016 to trigger a power outage in Kyiv, Ukraine, that left a large swath of the city without power for an hour. The attack occurred almost a year after an earlier one disrupted power for 225,000 Ukrainians for six hours. Industroyer2 came to light last year and is believed to have been used in a third attack on Ukraine’s power grids, but it was detected and stopped before it could succeed.<a href="#_ftn1">[1]</a></p>
<p>The attacks illustrated the vulnerability of electric power infrastructure and Russia’s growing skill at exploiting it. The attack in 2015 used repurposed malware known as BlackEnergy. While the resulting BlackEnergy3 allowed Sandworm to successfully break into the corporate networks of Ukrainian power companies and further encroach on their supervisory control and data acquisition systems, the malware had no means to interface with operational technology, or OT, gear directly. Which was fortunate.</p>
<p>The 2016 attack was more sophisticated. It used Industroyer, a piece of malware written from scratch designed to hack electric grid systems. Industroyer was notable for its mastery of the arcane industrial processes used by Ukraine’s grid operators. Industroyer natively communicated with those systems to instruct them to de-energize and then re-energize substation lines. </p>
<p>As Wired reported: <span style="text-decoration:underline;">Russia’s Sandworm hackers attempted a third blackout in Ukraine</span></p>
<p>Industroyer was capable of sending commands to circuit breakers using any of four industrial control system protocols, and it allowed the modular components of code for those protocols to be swapped out so that the malware could be redeployed to target different utilities. The malware also included a component to disable safety devices known as protective relays—which automatically cut the flow of power if they detect dangerous electrical conditions—a feature that appeared designed to cause potentially catastrophic physical damage to the targeted transmission station's equipment when the Ukrenergo operators turned the power back on.</p>
<p>Industroyer2 contained updates to Industroyer. While ultimately failing, its use in a third attempted attack signaled that the Kremlin’s ambitions for hacking Ukrainian electric power infrastructure remained a top priority.</p>
<p>Given the history, the detection of new malware designed to cause widespread power disruptions is of concern and interest to people charged with defending the grids. The concern is ratcheted up further when the malware has potential ties back to Russia.</p>
<p>Researchers at Mandiant wrote:</p>
<p>CosmicEnergy is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes CosmicEnergy unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as Industroyer and Industroyer.v2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104.</p>
<p>The discovery of CosmicEnergy illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we (Mandiant) believe CosmicEnergy poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of CosmicEnergy.</p>
<p>Currently, the link is circumstantial and mainly limited to a comment found in the code suggesting it works with software designed for training exercises sponsored by Russian authorities. Consistent with the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacks, the malware lacks the ability to burrow into a network to obtain environment information that would be necessary to execute an attack. The malware includes hardcoded information object addresses typically associated with power line switches or circuit breakers, but those mappings would have to be customized for a specific attack since they differ from manufacturer to manufacturer. “For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets,” Mandiant researchers wrote.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://arstechnica.com/information-technology/2023/05/unearthed-cosmicenergy-malware-for-causing-kremlin-style-power-disruptions/">https://arstechnica.com/information-technology/2023/05/unearthed-cosmicenergy-malware-for-causing-kremlin-style-power-disruptions/</a></p></div>Poland's Media Attackedhttps://redskyalliance.org/xindustry/poland-s-media-attacked2023-05-22T12:05:00.000Z2023-05-22T12:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11136873077,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11136873077,RESIZE_400x{{/staticFileLink}}" width="250" alt="11136873077?profile=RESIZE_400x" /></a>Several Polish media and news websites were hit by distributed denial-of-service (DDoS) attacks that the government said could be the action of Russian hacking groups, the digitalization minister was quoted as saying on 18 May. Warsaw has positioned itself as one of Ukraine's staunchest allies since Russia invaded the country, and Poland says it frequently faces Russian attempts to destabilize the situation in the country. Moscow has consistently denied that it carries out hacking operations.</p>
<p>DDoS attacks work by directing high volumes of internet traffic towards targeted servers in a relatively unsophisticated bid to knock them offline.<a href="#_ftn1">[1]</a> "Having information that such attacks are being prepared, we immediately informed all interested editorial offices so that they had the opportunity to react to this situation," Janusz Cieszynski was quoted as saying by state-run news agency PAP. Asked whether Russian groups were behind the attacks, Cieszynski said "we have such information".</p>
<p>The Russian foreign ministry did not immediately respond to an emailed request for comment. According to PAP, the websites affected included those of daily newspapers Gazeta Wyborcza, Rzeczpospolita and Super Express.</p>
<p>Wyborcza confirmed on Twitter that it had been the victim of an attack, as did news website wPolityce.pl.</p>
<p>About a month ago, Poland arrested several Russian hackers who were tied to the past SolarWinds cyber-attack.<a href="#_ftn2">[2]</a> Russia is often known to retaliate against countries who take legal action against their hackers. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.msn.com/en-ca/news/other/polish-news-websites-hit-by-ddos-attacks/ar-AA1bmbzr">https://www.msn.com/en-ca/news/other/polish-news-websites-hit-by-ddos-attacks/ar-AA1bmbzr</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.politico.eu/article/russian-hackers-behind-solarwinds-attack-target-eu-diplomatic-personnel/">https://www.politico.eu/article/russian-hackers-behind-solarwinds-attack-target-eu-diplomatic-personnel/</a></p></div>A Queasy EuroVisionhttps://redskyalliance.org/xindustry/a-queasy-eurovision2023-05-14T14:20:00.000Z2023-05-14T14:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11082519091,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11082519091,RESIZE_400x{{/staticFileLink}}" alt="11082519091?profile=RESIZE_400x" width="250" /></a>The risk of a cyber-attack is the “main worry” for broadcasters staging the Eurovision song contest on behalf of war-torn Ukraine, a BBC executive has said. Experts from the UK’s National Cyber Security Centre have been drafted in to help thwart any attempts by pro-Russian hackers to sabotage the competition’s public vote on Saturday.</p>
<p>The UK’s BBC director of unscripted programs, said there was no specific intelligence about an attack but that there were “so many contingency plans” in place if it happened. She said: “I don’t want to say we’re pretty attack-proof but we’ve done everything we can to make sure the event is as secure as possible so people don’t have to worry about that.” Caution from this author, never claim to be “pretty attack-proof.” She added, the contest would have had high security in any event but the war in Ukraine meant “we have had to up it as much as we possibly can.” “Cyber-attacks are the main worry because they’re becoming more and more frequent. Most companies seem to have been hacked,” she said. “We’re very conscious that we are open to a cyber-attack but everything we’ve done I think mitigates that.”</p>
<p>The UK is hosting Eurovision for the first time in 25 years after Ukraine, which won last year’s competition, was unable to stage the event because of the Russian invasion. The BBC is producing the two semi-finals and grand final for a global television audience of more than 160 million people.</p>
<p>Organizers are especially alert to a possible cyber-attack after Italian police thwarted attempts by pro-Russian hackers to disrupt last year’s event in Turin. The hackers targeted performances by Kalush Orchestra, the Ukrainian act that won the contest.</p>
<p>In 2019, the online stream of the Eurovision semi-finals in Israel was hacked to show warnings of a missile strike and images of blasts in the host city, Tel Aviv. The government blamed Hamas.</p>
<p>The BBC said it was the first time in its history that it had produced two such big events, the UK’s king’s coronation and Eurovision, in the same week. She said security for both was tighter than for any previous national occasions in her television career.</p>
<p>“If there is an incident, there is an incident, but I think if it happened, it happened because there was nothing we could do about it,” she emphasized. The BBC has worked with 36 other national broadcasters to produce a spectacle that it hopes will appeal to a worldwide television audience as well as to new viewers in the UK.</p>
<p>The BBC said Norton, whose droll commentary is enjoyed every year by UK viewers, would mention the war in Ukraine but only to explain why the contest was being hosted in Liverpool. Viewers can expect new twists on old Eurovision traditions such as the flag parade for Saturday night’s grand finale. </p>
<p> </p>
<p>BBC said: “If you thought you knew Eurovision, think again, because we’re taking everything up a notch. A year since it broke out, the conflict in Ukraine has changed the world, and the Guardian has covered every minute of it. BBC reporters on the ground have endured personal risk to produce more than 5,000 articles, films and podcasts. Its live blog has been expertly updated continuously and comprehensively since the outbreak of Europe’s biggest war since 1945. We know it’s crucial that we stay until the end - and beyond. There is no substitute for being there, as we did during the 1917 Russian Revolution, the Ukrainian famine of the 1930s, the collapse of the Soviet Union in 1991 and the first Russo-Ukrainian conflict in 2014. We have an illustrious, 200-year history of reporting throughout Europe in times of upheaval, peace and everything in between. We won’t let up now. Will you make a difference and support us too?”</p>
<p>Source: <a href="https://www.theguardian.com/tv-and-radio/2023/may/10/risk-of-cyber-attack-is-main-eurovision-worry-says-bbc-executive">Risk of cyber-attack is main Eurovision worry, says BBC executive | Eurovision 2023 | The Guardian</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>The West & Ghostwriterhttps://redskyalliance.org/xindustry/the-west-ghostwriter2023-02-12T14:40:00.000Z2023-02-12T14:40:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10961632855,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10961632855,RESIZE_400x{{/staticFileLink}}" alt="10961632855?profile=RESIZE_400x" width="250" /></a>An information and hacking campaign, called Ghostwriter, with links to a foreign state has potentially had a "significant cumulative impact" over many years, according to a report from Cardiff University. The findings, from the Security, Crime and Intelligence Innovation Institute, provide the most comprehensive picture to date of the activities of the so-called Ghostwriter campaign.</p>
<p>Tracking its evolving activities via open-source data, the report demonstrates how it has impersonated multiple government officials, NATO representatives and journalists across Europe. According to the team's analysis, it has impacted thousands of email users, hacked dozens of social media accounts and media websites and published hundreds of false blogposts.<a href="#_ftn1">[1]</a> </p>
<p>The integration of cyber-attacks with information manipulation has become more prominent following Russia's invasion of Ukraine. Most recently, it has been engaging in cyber-attacks against Ukrainian government websites, targeting Ukrainian military and public figures on Meta's platforms, and credential phishing on Google. The report's analysis also covers incidents in Germany, Poland and Lithuania, which have already been publicized and linked to Ghostwriter by cyberfirm Mandiant. There is widespread consensus among Western officials that the campaign is supported by either Russia, Belarus, or both.</p>
<p>Lead author Anneli Ahonen said, "Ghostwriter's activities have triggered multiple yet separate responses from governments, social media platforms, media and private cyber firms. These have focused on strategic communications to counter false narratives, public but partial attribution, improvements in cyber security, and most recently the disruption of parts of Ghostwriter's activity on Facebook and Google. "But there is no one organization with an overarching view of the scale of its activities—and so the seriousness of the threat has been poorly understood. Ghostwriter has been able to diversify its methods, targets and the countries it is focusing upon. This has potentially had a significant cumulative impact and effect, given how its various activities have persisted over several years, across multiple social media platforms."</p>
<p>Ghostwriter has been active since at least 2016. Significantly, it was not really understood as a consistent campaign until 2020. Using cyber-attacks to spread false information has become integral to its tactics. Anneli Ahonen said, "To date, much policy attention has centered on the Internet Research Agency and its interference in the US election in 2016. Ghostwriter is an example of another persistent, large-scale, and well-resourced operation, but with very different tactics to the Internet Research Agency's playbook. "Currently, cyber and influence operations are understood as separate fields, with distinct sets of expert knowledge. But the adversaries often don't make similar distinctions between the two. A more coordinated approach, which brings together both areas of research, would be a more successful way of combatting disinformation and informing the public."</p>
<p>Professor Martin Innes, director of the Security, Crime and Intelligence Innovation Institute, said, "Criminologists use the term 'linkage blindness' to describe the problems that arise when different police agencies are all engaged in investigating the same persistent perpetrator, and each investigator has only a partial view of how and why the harmful act is being committed. This concept of 'linkage blindness' describes what has happened with the response to Ghostwriter, in that different governments and organizations have been looking at different facets, but no institution is positioned to take responsibility for adopting a comprehensive approach."</p>
<p>This independent analysis draws together the publicly available open-source evidence of 34 incidents attributed to the Ghostwriter campaign between the summer of 2016 and the summer of 2021, as well as official government communications, media reports, fact-checks and NGOs and think tanks' analysis.</p>
<p>Researchers also carried out nine semi-structured, in-depth interviews with various representatives of governments, media and civil society, who have been directly involved in responding, exposing, or analyzing these incidents. Further information was also collected on how Russian language media reported them. The report also tracks and references incidents linked to Ghostwriter after that time period—in Belarus, Germany, Lithuania, Poland, and Ukraine.</p>
<p>Opinion provided by Cardiff University</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://techxplore.com/news/2023-02-west-ill-prepared-evolving-cyber-threats.html">https://techxplore.com/news/2023-02-west-ill-prepared-evolving-cyber-threats.html</a></p></div>Cl0p and Higher .eduhttps://redskyalliance.org/xindustry/cl0p-and-higher-edu2023-02-09T13:50:00.000Z2023-02-09T13:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10960601287,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10960601287,RESIZE_400x{{/staticFileLink}}" width="210" alt="10960601287?profile=RESIZE_400x" /></a>The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims. SentinelOne said it observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on 26 December 2022. Clop has existed <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.clop">since about 2019</a>, targeting <a href="https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion">large companies</a>, <a href="https://www.bleepingcomputer.com/news/security/flagstar-bank-hit-by-data-breach-exposing-customer-employee-data/">financial institutions</a>, <a href="https://therecord.media/k-12-cyberattacks-new-mexico-ohio/">primary schools</a> and <a href="https://therecord.media/uk-water-company-confirms-cyberattack-after-confusion-over-ransomware-group-threats/">critical infrastructure</a> across the world. After the group targeted several major South Korean companies like e-commerce giant <a href="https://en.yna.co.kr/view/AEN20201122001900320">E-Land</a> in November 2020, multiple actors connected to the group <a href="https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/">were arrested in Kyiv, Ukraine</a>. Those arrested <a href="https://therecord.media/arrested-clop-gang-members-laundered-over-500m-in-ransomware-payments/">had laundered more than $500 million</a> from Clop and one other ransomware group.<a href="#_ftn1">[1]</a> </p>
<p>SentinelOne explained that the new Linux variant was mostly used to target educational institutions, including a university in Colombia, but had issues that defenders could exploit to help victims. “We discovered a flaw in the Linux version of Clop ransomware which enabled us to create a decryptor tool. We have not seen any new versions of the ransomware in the wild. However, we predict that the ransomware authors will likely attempt to fix the flaw in future versions, so organizations should take steps to protect themselves against the ransomware,” SentinelOne said. “We found that the Linux version of the Cl0p ransomware is in an early stage of development, suggesting that the threat actors are still manually operating and tweaking the ransomware to target specific victims. We also noticed that the ransomware had hardcoded victim-specific details, such as file paths for encryption, indicating that the threat actors had knowledge of the victim environment before launching the attack.”</p>
<p>SentinelOne <a href="https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/">published a report</a> on their findings, explaining that the Linux variant of the ransomware resembled the Windows version, using the same encryption method and process logic.<a href="#_ftn2">[2]</a> The researchers noted that the developers likely did not invest much time or resources into improving the obfuscation or evasiveness of the Linux version because many security systems could not detect it. The Windows version allowed the ransomware group to list out what folders and files should not be encrypted, but that functionality was not seen with the Linux version. The Linux version was used to target specific folders and all file types. “Rather than simply port the Windows version of Cl0p directly, the authors have chosen to build bespoke Linux payloads. We understand this to be the primary reason for the lack of feature parity between the new Linux version and the far more established Windows variant,” SentinelOne explained. “SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously.”</p>
<p>The Linux version also leaves the ransom note in a .txt format while the Windows version leaves the ransom note in .rtf.</p>
<p><a href="{{#staticFileLink}}10960600700,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960600700,RESIZE_584x{{/staticFileLink}}" alt="10960600700?profile=RESIZE_584x" width="500" /></a>A SAMPLE OF THE CLOP RANSOM NOTE.</p>
<p>SentinelOne noted that the Linux version was part of a <a href="https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-create-rust-variant/">larger trend</a> among ransomware groups of creating variants of their strain.</p>
<p><a href="https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/">Hive</a>,<a href="https://www.youtube.com/watch?v=Ouzwu79abbs&t=5s"> Qilin</a>,<a href="https://www.sentinelone.com/labs/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/"> Snake</a>,<a href="https://www.sentinelone.com/labs/multi-platform-smaug-raas-aims-to-see-off-competitors/"> Smaug</a>,<a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/"> Qyick</a> and <a href="https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/">numerous others</a> have used Linux variants to encrypt victims. In spite of the June 2021 arrests, Clop has not stopped operating and the development of a Linux version should prompt defenders to be ready for anything, SentinelOne said. “Ransomware groups are constantly seeking new targets and methods to maximize their profits. Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims,” SentinelOne said. “In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets.”</p>
<p>From SentinalOne: Over the last twelve months or so we have <a href="https://www.sentinelone.com/blog/watchtower-trends-and-top-cybersecurity-takeaways-from-2022/">continued to observe</a> the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of <a href="https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/">Hive</a>, <a href="https://www.youtube.com/watch?v=Ouzwu79abbs&t=5s">Qilin</a>, <a href="https://www.sentinelone.com/labs/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/">Snake</a>, <a href="https://www.sentinelone.com/labs/multi-platform-smaug-raas-aims-to-see-off-competitors/">Smaug</a>, <a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/">Qyick</a> and numerous others.</p>
<p>We know that Cl0p operations have shown little if <a href="https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/">no slow-down</a> since the <a href="https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/">disruption</a> in June 2021. While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.</p>
<p>SentinelLabs continues to monitor the activity associated with Cl0p. SentinelOne Singularity protects against malicious artifacts and behaviors associated with Cl0p attacks including the ELF variant described in this post.</p>
<p><strong>Indicators of Compromise</strong></p>
<table width="638">
<tbody>
<tr>
<td width="158">
<p><strong>IOC Type</strong></p>
</td>
<td width="480">
<p><strong>IOC Value</strong></p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 ELF Cl0p</p>
</td>
<td width="480">
<p>46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>40b7b386c2c6944a6571c6dcfb23aaae026e8e82</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>4fa2b95b7cde72ff81554cfbddc31bbf77530d4d</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>a1a628cca993f9455d22ca2c248ddca7e743683e</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>a6e940b1bd92864b742fbd5ed9b2ef763d788ea7</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>ac71b646b0237b487c08478736b58f208a98eebf</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 ELF Cl0p Note</p>
</td>
<td width="480">
<p>ba5c5b5cbd6abdf64131722240703fb585ee8b56</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p Note</p>
</td>
<td width="480">
<p>77ea0fd635a37194efc1f3e0f5012a4704992b0e</p>
</td>
</tr>
<tr>
<td width="158">
<p>ELF Ransom Note</p>
</td>
<td width="480">
<p>README_C_I_0P.TXT</p>
</td>
</tr>
<tr>
<td width="158">
<p>Win Ransom Note</p>
</td>
<td width="480">
<p>!_READ_ME.RTF</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Ransom Extension</p>
</td>
<td width="480">
<p>.C_I_0P</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Contact Email</p>
</td>
<td width="480">
<p>unlock[@]support-mult.com</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Contact Email</p>
</td>
<td width="480">
<p>unlock[@]rsv-box.com</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Onion Leak Page</p>
</td>
<td width="480">
<p>hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Onion Chat Page</p>
</td>
<td width="480">
<p>hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion</p>
</td>
</tr>
</tbody>
</table>
<p><strong>YARA Rule</strong></p>
<p>rule ClopELF</p>
<p>{</p>
<p> meta:</p>
<p> author = "@Tera0017/@SentinelLabs"</p>
<p> description = "Temp Clop ELF variant yara rule based on $hash"</p>
<p> reference = "https://s1.ai/Clop-ELF”</p>
<p> hash = "09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef"</p>
<p> strings:</p>
<p> $code1 = {C7 45 ?? 00 E1 F5 05}</p>
<p> $code2 = {81 7D ?? 00 E1 F5 05}</p>
<p> $code3 = {C7 44 24 ?? 75 00 00 00}</p>
<p> $code4 = {C7 44 24 ?? 80 01 00 00}</p>
<p> $code5 = {C7 00 2E [3] C7 40 04}</p>
<p> $code6 = {25 00 F0 00 00 3D 00 40 00 00}</p>
<p> $code7 = {C7 44 24 04 [4] C7 04 24 [4] E8 [4] C7 04 24 FF FF FF FF E8 [4] C9 C3}</p>
<p> condition:</p>
<p> uint32(0) == 0x464c457f and all of them</p>
<p>}</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/">https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/">https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/</a></p></div>Cl0p and Higher .eduhttps://redskyalliance.org/xindustry/cl0p-and-higher-edu2023-02-09T13:50:00.000Z2023-02-09T13:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10960601287,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10960601287,RESIZE_400x{{/staticFileLink}}" width="210" alt="10960601287?profile=RESIZE_400x" /></a>The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims. SentinelOne said it observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on 26 December 2022. Clop has existed <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.clop">since about 2019</a>, targeting <a href="https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion">large companies</a>, <a href="https://www.bleepingcomputer.com/news/security/flagstar-bank-hit-by-data-breach-exposing-customer-employee-data/">financial institutions</a>, <a href="https://therecord.media/k-12-cyberattacks-new-mexico-ohio/">primary schools</a> and <a href="https://therecord.media/uk-water-company-confirms-cyberattack-after-confusion-over-ransomware-group-threats/">critical infrastructure</a> across the world. After the group targeted several major South Korean companies like e-commerce giant <a href="https://en.yna.co.kr/view/AEN20201122001900320">E-Land</a> in November 2020, multiple actors connected to the group <a href="https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/">were arrested in Kyiv, Ukraine</a>. Those arrested <a href="https://therecord.media/arrested-clop-gang-members-laundered-over-500m-in-ransomware-payments/">had laundered more than $500 million</a> from Clop and one other ransomware group.<a href="#_ftn1">[1]</a> </p>
<p>SentinelOne explained that the new Linux variant was mostly used to target educational institutions, including a university in Colombia, but had issues that defenders could exploit to help victims. “We discovered a flaw in the Linux version of Clop ransomware which enabled us to create a decryptor tool. We have not seen any new versions of the ransomware in the wild. However, we predict that the ransomware authors will likely attempt to fix the flaw in future versions, so organizations should take steps to protect themselves against the ransomware,” SentinelOne said. “We found that the Linux version of the Cl0p ransomware is in an early stage of development, suggesting that the threat actors are still manually operating and tweaking the ransomware to target specific victims. We also noticed that the ransomware had hardcoded victim-specific details, such as file paths for encryption, indicating that the threat actors had knowledge of the victim environment before launching the attack.”</p>
<p>SentinelOne <a href="https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/">published a report</a> on their findings, explaining that the Linux variant of the ransomware resembled the Windows version, using the same encryption method and process logic.<a href="#_ftn2">[2]</a> The researchers noted that the developers likely did not invest much time or resources into improving the obfuscation or evasiveness of the Linux version because many security systems could not detect it. The Windows version allowed the ransomware group to list out what folders and files should not be encrypted, but that functionality was not seen with the Linux version. The Linux version was used to target specific folders and all file types. “Rather than simply port the Windows version of Cl0p directly, the authors have chosen to build bespoke Linux payloads. We understand this to be the primary reason for the lack of feature parity between the new Linux version and the far more established Windows variant,” SentinelOne explained. “SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously.”</p>
<p>The Linux version also leaves the ransom note in a .txt format while the Windows version leaves the ransom note in .rtf.</p>
<p><a href="{{#staticFileLink}}10960600700,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960600700,RESIZE_584x{{/staticFileLink}}" alt="10960600700?profile=RESIZE_584x" width="500" /></a>A SAMPLE OF THE CLOP RANSOM NOTE.</p>
<p>SentinelOne noted that the Linux version was part of a <a href="https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-create-rust-variant/">larger trend</a> among ransomware groups of creating variants of their strain.</p>
<p><a href="https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/">Hive</a>,<a href="https://www.youtube.com/watch?v=Ouzwu79abbs&t=5s"> Qilin</a>,<a href="https://www.sentinelone.com/labs/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/"> Snake</a>,<a href="https://www.sentinelone.com/labs/multi-platform-smaug-raas-aims-to-see-off-competitors/"> Smaug</a>,<a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/"> Qyick</a> and <a href="https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/">numerous others</a> have used Linux variants to encrypt victims. In spite of the June 2021 arrests, Clop has not stopped operating and the development of a Linux version should prompt defenders to be ready for anything, SentinelOne said. “Ransomware groups are constantly seeking new targets and methods to maximize their profits. Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims,” SentinelOne said. “In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets.”</p>
<p>From SentinalOne: Over the last twelve months or so we have <a href="https://www.sentinelone.com/blog/watchtower-trends-and-top-cybersecurity-takeaways-from-2022/">continued to observe</a> the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of <a href="https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/">Hive</a>, <a href="https://www.youtube.com/watch?v=Ouzwu79abbs&t=5s">Qilin</a>, <a href="https://www.sentinelone.com/labs/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/">Snake</a>, <a href="https://www.sentinelone.com/labs/multi-platform-smaug-raas-aims-to-see-off-competitors/">Smaug</a>, <a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/">Qyick</a> and numerous others.</p>
<p>We know that Cl0p operations have shown little if <a href="https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/">no slow-down</a> since the <a href="https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/">disruption</a> in June 2021. While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.</p>
<p>SentinelLabs continues to monitor the activity associated with Cl0p. SentinelOne Singularity protects against malicious artifacts and behaviors associated with Cl0p attacks including the ELF variant described in this post.</p>
<p><strong>Indicators of Compromise</strong></p>
<table width="638">
<tbody>
<tr>
<td width="158">
<p><strong>IOC Type</strong></p>
</td>
<td width="480">
<p><strong>IOC Value</strong></p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 ELF Cl0p</p>
</td>
<td width="480">
<p>46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>40b7b386c2c6944a6571c6dcfb23aaae026e8e82</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>4fa2b95b7cde72ff81554cfbddc31bbf77530d4d</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>a1a628cca993f9455d22ca2c248ddca7e743683e</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>a6e940b1bd92864b742fbd5ed9b2ef763d788ea7</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p</p>
</td>
<td width="480">
<p>ac71b646b0237b487c08478736b58f208a98eebf</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 ELF Cl0p Note</p>
</td>
<td width="480">
<p>ba5c5b5cbd6abdf64131722240703fb585ee8b56</p>
</td>
</tr>
<tr>
<td width="158">
<p>SHA1 Win Cl0p Note</p>
</td>
<td width="480">
<p>77ea0fd635a37194efc1f3e0f5012a4704992b0e</p>
</td>
</tr>
<tr>
<td width="158">
<p>ELF Ransom Note</p>
</td>
<td width="480">
<p>README_C_I_0P.TXT</p>
</td>
</tr>
<tr>
<td width="158">
<p>Win Ransom Note</p>
</td>
<td width="480">
<p>!_READ_ME.RTF</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Ransom Extension</p>
</td>
<td width="480">
<p>.C_I_0P</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Contact Email</p>
</td>
<td width="480">
<p>unlock[@]support-mult.com</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Contact Email</p>
</td>
<td width="480">
<p>unlock[@]rsv-box.com</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Onion Leak Page</p>
</td>
<td width="480">
<p>hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion</p>
</td>
</tr>
<tr>
<td width="158">
<p>Cl0p Onion Chat Page</p>
</td>
<td width="480">
<p>hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion</p>
</td>
</tr>
</tbody>
</table>
<p><strong>YARA Rule</strong></p>
<p>rule ClopELF</p>
<p>{</p>
<p> meta:</p>
<p> author = "@Tera0017/@SentinelLabs"</p>
<p> description = "Temp Clop ELF variant yara rule based on $hash"</p>
<p> reference = "https://s1.ai/Clop-ELF”</p>
<p> hash = "09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef"</p>
<p> strings:</p>
<p> $code1 = {C7 45 ?? 00 E1 F5 05}</p>
<p> $code2 = {81 7D ?? 00 E1 F5 05}</p>
<p> $code3 = {C7 44 24 ?? 75 00 00 00}</p>
<p> $code4 = {C7 44 24 ?? 80 01 00 00}</p>
<p> $code5 = {C7 00 2E [3] C7 40 04}</p>
<p> $code6 = {25 00 F0 00 00 3D 00 40 00 00}</p>
<p> $code7 = {C7 44 24 04 [4] C7 04 24 [4] E8 [4] C7 04 24 FF FF FF FF E8 [4] C9 C3}</p>
<p> condition:</p>
<p> uint32(0) == 0x464c457f and all of them</p>
<p>}</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/">https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/">https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/</a></p></div>Fusion of Special & Cyber Forceshttps://redskyalliance.org/xindustry/fusion-of-special-cyber-forces2023-01-23T17:53:33.000Z2023-01-23T17:53:33.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10947151300,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10947151300,RESIZE_400x{{/staticFileLink}}" width="250" alt="10947151300?profile=RESIZE_400x" /></a>According to trusted government sources, there is an increasing focus on US Cyber Command (CYBERCOM) to try and replicate the ability of the US Special Operations Command (SOCOM), the unified combatant command with the mission of overseeing the elements of the special operations in the US Armed Services to bring capabilities directly into the battlespace. At a recent meeting, the chief of CYBEROM is quoted as saying that the command is “trying to build our authorities much in the same way Special Operations Command did this.” An unnamed Congressional aide confirmed that CYBERCOM’s evolution had been modeled on the same “legislative techniques” used for SOCOM. The concept sounds reasonable, particularly as the conflicts being fought are moving to more agile and quick operations. And as one author points out, both commands can pull from their existing capabilities and space to fuse cooperation best suited to today’s information-enabled environment.<a href="#_ftn1">[1]</a></p>
<p>A mid-2022 US defense article revealed that the Army was doing something similar, trying to combine the military’s cyber, special operations, and space capabilities to create what it termed a “deterrent triad.” In this scenario, personnel is embedded together to correlate intelligence from their respective mission areas to amplify capabilities to target or deter an enemy. This seems a natural progression for the US military that first embraced the concept of joint operations in 1993, the doctrine that governs the activities and performance of the US military across the range of operations. Incorporating cyber, space, and special operations components is a fitting complement to today’s battlespace. The U.S. Army has already conducted its first tactical exercise using cyber teams in tactical scenarios requiring specific hacking targets. The special operations commander acknowledged that the future of warfare may need more “coders” and fewer “door breakers.”</p>
<p>The fusion of various aspects of resources in pursuing strategic national objectives has garnered global attention since Russia started implementing its “hybrid warfare” strategy. Hybrid warfare is a concept that includes the synergistic fusion of conventional, irregular, and non-kinetic activities to achieve an advantage. While Russia has been at the forefront of such integration, the US looks to be behind its primary adversary, according to one prominent think tank. This is a disconcerting turn of events, given that the US appears to be firmly engaged in a non-military confrontation with China and Russia for the foreseeable future, where the soft power tenets of hybrid warfare take place in what is often termed “the gray zone.”</p>
<p>While the United States has used financial and material resources to bolster Ukraine in its conflict with Russia in its version of hybrid engagement, the combination of cyber and special operations units is Washington’s recognition that this needs to be implemented on the battlefield level as well. Special Forces’ abilities to work in small, clandestine operations and access hard targets could be a natural fit for cyber ops that require similar covert consideration, careful planning, and specialized skill sets. Additionally, these forces’ experience with working with regional communities, host country language skills, and their background in conducting influence activities are immediately relevant to non-disruptive cyber actions. The sea, air, land, space, and cyber domains are all touched by information technology, making the immersion of special and cyber forces imperative for conflicts in the future, whether to support more conventional engagements like in Ukraine or those requiring more surgical surreptitious precision.</p>
<p>And while the US works on fusing its capabilities across domains, its other significant adversary China is quickly adopting a similar mindset through its “Multi-Domain Precision Warfare (MDPW),” a strategy intended to align all of the Chinese resources “from cyber to space” and to counter the US Joint All-Domain Command and Control Initiative. China’s Strategic Support Force is pivotal in making the Chinese military “joint,” Its roles and responsibilities are key to harmonizing all of China’s information warfare mission areas. One US defense official described MDPW as a way to look across the domains to identify vulnerabilities and exploit them. China’s history of replicating US military practices suggests that it, too, will look to enhance its special operations forces with an offensive cyber capability as it monitors Russian and U.S. developments in this area. Given China embracing an all-out engagement across political, military, economic, and cultural as it strives for global influence, it wouldn’t be a surprise if Beijing isn’t looking to fast-track this capability to be used worldwide.</p>
<p>Special Forces are often cross-trained in specialized disciplines to make them streamlined, self-reliant teams. While the integration of cyber operators may be necessary for the present, being able to perform more technical missions is logical in an information space-driven environment that touches all of the warfighting domains. Special operators may soon find themselves learning pen-testing techniques and other sophisticated skills. What’s more, the very secretive nature of this blended capability lends itself to overtly and covertly supporting other governments, as in the case of Ukraine, in both a military and nonmilitary capacity, and even training them. When looking at another potential hot spot area like China-Taiwan, special operations units could play an even more critical cyber role than a kinetic one, especially if hostilities fall short of armed conflict.</p>
<p>Moving forward, the Department of Defense (DoD) may look to combine CYBERCOM and SOCOM to unify special capabilities under one umbrella and one budget and independent of other DoD entities. As the Ukraine crisis has borne out, militaries will need to be able to address the complex nuances of hybrid warfare, even if conventional military operations are taking place. Not every action will or should require a kinetic response, but it may necessitate the speed, adaptability, and stealth of special operations’ proficiency. If Ukraine is any indication of future state-on-state engagement, “joint” synergy may be less critical than “blended” to achieve maximum effectiveness in pursuit of national security interests.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/archive/2023/01/17/the-fusion-of-special-and-cyber-forces-makes-sense/">https://www.oodaloop.com/archive/2023/01/17/the-fusion-of-special-and-cyber-forces-makes-sense/</a></p></div>War = 62% Decline in Stolen Cardshttps://redskyalliance.org/xindustry/war-62-decline-in-stolen-cards2023-01-22T14:20:00.000Z2023-01-22T14:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10945933054,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10945933054,RESIZE_400x{{/staticFileLink}}" alt="10945933054?profile=RESIZE_400x" width="250" /></a>The Russian invasion of Ukraine in early 2022 appears to have led to a double-digit decrease in stolen payment card records published to the dark web, according to researchers.</p>
<p>In a recent report, investigators analyzed detailed threat intelligence gleaned from the cybercrime underground to compile a report. It reported a 24% year-on-year decrease in the volume of card-not-present records on dark web carding shops in 2022 to 45.6 million and a 62% slump in card present records, to 13.8 million.</p>
<p>Researchers traced this significant decline to two key events at the start of the year. The first was an unexpected crackdown by the Russian state on cybercrime groups, which included arrests of suspected members of the REvil ransomware collective. “The governing theory is that Russia sought to signal its intent to cooperate with the West against cybercrime should the West acquiesce to Russian demands regarding Ukraine,” the report claimed.<a href="#_ftn1">[1]</a></p>
<p>Whatever its intent, the clampdown had a chilling impact on card fraud from the second half of February to April, including the shuttering of several top-tier carding shops, Recorded Future said.</p>
<p>However, what came next arguably had an even bigger impact. “After April, slack carding demand and depressed volumes of ‘fresh’ records were likely a result of Russia’s war,” the report continued. “It is highly likely that the war has significantly impacted Russian and Ukrainian threat actors’ ability to engage in card fraud as a result of mobilization, refugee and voluntary migration, energy instability, inconsistent internet connectivity and deteriorated server infrastructure. Russian-occupied areas of the Donbas region of Ukraine were long suspected to have hosted cyber-criminal server infrastructure.”</p>
<p>As a result, the future of the card fraud market will depend on external events, the report concluded. “Should Russia’s unprovoked war in Ukraine continue, the factors influencing regional threat actors’ ability to engage in card fraud will likely persist, and threat actors’ ability to engage in card fraud will remain lower than before the war, even as they continue to adapt,” it noted. “If the war should end, monitoring the region’s post-war economies will be crucial to determine whether the conditions and incentives exist for a renewal or possibly even an increase in card fraud activity.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.infosecurity-magazine.com/news/russias-ukraine-62-slump-stolen/">https://www.infosecurity-magazine.com/news/russias-ukraine-62-slump-stolen/</a></p></div>Weekly Cyber Intel Report - All Sector 10 14 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-10-14-20222022-10-14T14:17:10.000Z2022-10-14T14:17:10.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><span style="font-size:12pt;"><a href="{{#staticFileLink}}10841887054,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10841887054,RESIZE_400x{{/staticFileLink}}" width="250" alt="10841887054?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 14 October 2022:</span></h2>
<ul>
<li>Red Sky Alliance identified 26,570 connections from new IP’s checking in with our Sinkholes</li>
<li>Netskope IAD hit 56x</li>
<li>Analysts identified 556 new IP addresses participating in various Botnets</li>
<li>Bisamware and Chile Locker</li>
<li>njRat, a.k.a. Bladabindi</li>
<li>Emotet 2022</li>
<li>Singtel</li>
<li>Pinnacle Hack</li>
<li>Ukraine War</li>
<li>Optus Part II</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10841887661,original{{/staticFileLink}}">IR-22-288-001_weekly288.pdf</a></p></div>Themed Excel File Delivers Multi-Stage Cobalt Strike Loaderhttps://redskyalliance.org/xindustry/themed-excel-file-delivers-multi-stage-cobalt-strike-loader2022-10-12T17:43:47.000Z2022-10-12T17:43:47.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10840156473,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10840156473,RESIZE_400x{{/staticFileLink}}" width="250" alt="10840156473?profile=RESIZE_400x" /></a>Our friends at FortiGuard Labs have observed an increasing number of campaigns targeting either side of the ongoing Russian-Ukrainian conflict. These may be a cyber element to the conflict or simply opportunistic threat actors taking advantage of the war to further their malicious objectives. Recently, researchers encountered a malicious Excel document masquerading as a tool to calculate salaries for Ukrainian military personnel. The shared practical report discusses the technical details of this document that, when triggered, executes evasive multi-stage loaders, eventually leading to Cobalt Strike Beacon malware being loaded onto the victim’s device.</p>
<p>Linkto full technical report: <a href="{{#staticFileLink}}10840156459,original{{/staticFileLink}}">IR-22-286-001_CobaltStrike.pdf</a> </p></div>NATO and the Dark Webhttps://redskyalliance.org/xindustry/nato-and-the-dark-web2022-09-05T17:20:32.000Z2022-09-05T17:20:32.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10804163868,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10804163868,RESIZE_400x{{/staticFileLink}}" alt="10804163868?profile=RESIZE_400x" width="250" /></a>Just what is for sale on the Dark Web? According to a published report, the North Atlantic Treaty Organization (NATO) is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web. The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia. Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.<a href="#_ftn1">[1]</a></p>
<p>Contradicting the cyber actor’s claims in their ads, nothing up for sale is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company's internal networks. NATO, meanwhile, is "assessing claims relating to data allegedly stolen from MBDA," a NATO official reported. "We have no indication that any NATO network has been compromised," the official said.</p>
<p>MBDA acknowledged in early August 2022 that it was "the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company's information networks" in a post on its website. According to the post, the company refused to pay the ransom, and thus the data was leaked for sale online.</p>
<p>Threat actors are selling 80GB of stolen data on both Russian and English language forums with a price tag of 15 Bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation. It has been reported that cybercriminals claim to have already sold data to at least one buyer.</p>
<p>According to the report, NATO is investigating one of the firm's suppliers as the possible source of the breach. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States. The company is working with authorities in Italy, where the breach occurred. MBDA reported $3.5 billion in revenue last year and counted NATO, the US military, and the UK Ministry of Defense among its customers.</p>
<p>Hackers claimed in their ad for the leaked data to have "classified information about employees of companies that took part in the development of closed military projects," as well as "design documents, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies," according to the BBC.</p>
<p>Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. According to the report, one of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational.</p>
<p>This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on 24 February 2022. After the conflict on the ground began, threat actors continued to subject Ukraine to a cyber war to support the Russian military efforts.</p>
<p>The sample data viewed by the BBC also included documents labeled "NATO CONFIDENTIAL," "NATO RESTRICTED," and "Unclassified Controlled Information," according to the report. At least one stolen folder contains detailed drawings of MBDA equipment. The cybercriminals also sent email documents to the BBC, including two marked "NATO SECRET," according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.</p>
<p>Nonetheless, MBDA insists that the verification processes that the company has executed so far "indicate that the data made available online are neither classified data nor sensitive."</p>
<p>This raises the question to all readers, “What data from your company is already for sale on the Dark Web? Interested to find out, please contact us and ask about our RedPane service.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/briefs/2022/08/30/nato-investigates-dark-web-leak-of-data-stolen-from-missile-vendor/">https://www.oodaloop.com/briefs/2022/08/30/nato-investigates-dark-web-leak-of-data-stolen-from-missile-vendor/</a></p></div>Cyber-Attack against Zaporizhzhiahttps://redskyalliance.org/xindustry/cyber-attack-against-zaporizhzhia2022-08-19T14:12:23.000Z2022-08-19T14:12:23.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10778400060,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10778400060,RESIZE_400x{{/staticFileLink}}" width="250" alt="10778400060?profile=RESIZE_400x" /></a>The Ukrainian energy agency responsible for the oversight and safe operation of the nation’s nuclear power plants said earlier this week that Russian hackers had launched their most ambitious effort yet on the company’s official website. The attack appeared to fail and there was no indication that it threatened to disrupt the Ukrainian power grid or the company’s oversight of the nation’s 15 working nuclear reactors.</p>
<p>The company, Energoatom,<a href="#_ftn1">[1]</a> said it had managed to keep the attack from being visible to users of the website. Even so, it was a reminder of the digital threat posed to the power infrastructure in Ukraine, where the shelling of the Zaporizhzhia Nuclear Power Plant has stirred global alarm.<a href="#_ftn2">[2]</a></p>
<p>Ukraine’s power grid has been knocked offline twice before, in 2015 and 2016, causing widespread blackouts, and Russian efforts to attack the Energoatom site are being closely watched in case they presaged a larger event.</p>
<p>The previous large-scale cyber-attacks against Ukraine, like knocking out its power grid or frying cellular service, was the concern of Western based intelligence officials who predicted would accompany the Russian invasion yet failed to materialize. But Russia has used cyber hacking campaigns in support its military ground campaign, pairing malware with missiles in several attacks. This includes TV stations and government agencies, according to a report released in April of this year by Microsoft.</p>
<p>Ukrainian officials said this spring that they had thwarted a cyberattack on Ukraine’s power grid that could have knocked out power to two million people, raising fears that Moscow was continuing to persist in its digital efforts to advance its military campaign.</p>
<p>The daily shelling targeting the Zaporizhzhia complex, which is Europe’s largest nuclear power plant, has sparked international concerns about the possibility of a radiological meltdown. The United Nations has offered to help send nuclear inspectors to the site, which is currently occupied by Russian forces but is now operated by Ukrainian workers; this if both sides agree.</p>
<p>It remains unclear who is to blame for the shelling. The Ukrainians have accused the Russians of directing strikes there to cut off energy supplies to other cities, while the Russians say Ukraine is responsible for the attacks.</p>
<p>On 16 August, the French president and the Ukraine president spoke by telephone about safety threats and concerns at the Zaporizhzhia plant. According to a statement from France, its president stressed his concern about the impact of “ongoing clashes on the safety and security of Ukrainian nuclear facilities” and called for the withdrawal of Russian forces. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="http://www.atom">http://www.atom</a>[.]gov.ua/</p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.nytimes.com/2022/08/16/world/europe/the-operator-of-ukraines-nuclear-plants-says-it-faced-an-ambitious-cyberattack.html">https://www.nytimes.com/2022/08/16/world/europe/the-operator-of-ukraines-nuclear-plants-says-it-faced-an-ambitious-cyberattack.html</a></p></div>BOT Farm Take-Downhttps://redskyalliance.org/xindustry/bot-farm-take-down2022-08-06T18:02:32.000Z2022-08-06T18:02:32.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10752642088,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10752642088,RESIZE_400x{{/staticFileLink}}" width="250" alt="10752642088?profile=RESIZE_400x" /></a>Even in the middle of a war, Ukrainian law enforcers claim to have dismantled a large bot farm used by Russian special services to spread disinformation and propaganda in the country. The Secret Service of Ukraine (SSU) said the million-strong bot farm was used to “spin destabilizing content” on the country’s military and political leadership to an audience of over 400,000.</p>
<p>This included fake news on the situation at the front, an alleged conflict between the President’s Office and the commander-in-chief of Ukraine’s armed forces, and a campaign to discredit the first lady. A Russian citizen and ‘political expert’ based in Kyiv was unmasked as the leader of the operation. With his help, the group automated the management of a large number of bot accounts on social media, using equipment based in Kyiv, Kharkiv and Vinnytsia, the SSU spokesman said. This operation included 5000 SIM cards used to register new accounts, and 200 proxy servers designed to spoof IP addresses and circumvent Internet blocks.<a href="#_ftn1">[1]</a></p>
<p>“Today, the information front is no less important than military operations. And Russia understands this very well and that’s why they throw such massive resources to divide Ukrainian society. Bot farms, pseudo-experts, information and psychological operations, enforcing pro-Russian messages all this is in the enemy’s arsenal,” argued acting SSU Chief. “The adversary tries to use any opportunity to fuel internal strife or manipulate public opinion. Unfortunately, consciously or unconsciously, some Ukrainian political forces play along with the enemy and put their own ambitions above state interests. However, we are countering these destructive activities.”</p>
<p>Ukraine claims to have “neutralized” 1200 cyber-incidents and cyber-attacks on government and strategic critical infrastructure since the start of the war. Russian propaganda efforts continue, not just inside Ukraine but also in a bid to sway public opinion among its allies.</p>
<p>During July 2022, Recorded Future claimed that Moscow is running multiple info ops campaigns designed to sow division in the West. In March of this year, authorities exposed a bot farm in Odesa used to create fake accounts spreading online propaganda and hate speech about Ukraine. A month earlier, Ukraine’s law enforcement uncovered a bot farm in Lviv that spread “destructive content” about Ukraine. The farm was operated by Russian intelligence.<a href="#_ftn2">[2]</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.infosecurity-magazine.com/news/ukraine-shutters-major-russian-bot/">https://www.infosecurity-magazine.com/news/ukraine-shutters-major-russian-bot/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.kyivpost.com/technology/security-service-busts-russia-backed-bot-farm-attacking-crimea-platform.html">https://www.kyivpost.com/technology/security-service-busts-russia-backed-bot-farm-attacking-crimea-platform.html</a></p></div>Weekly Cyber Intel Report - All Sector 07 29 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-07-29-20222022-07-29T15:24:30.000Z2022-07-29T15:24:30.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10733059301,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10733059301,RESIZE_400x{{/staticFileLink}}" width="200" alt="10733059301?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 29 July 2022:</h2>
<ul>
<li>Red Sky Alliance identified 25,992 connections from new IP’s checking in with our Sinkholes</li>
<li>Hetzner 10x</li>
<li>Analysts identified 309 new IP addresses participating in various Botnets</li>
<li>Ransomware UpDate</li>
<li>Adversary-in-the-Middle - AiTM</li>
<li>South Africa under Attack</li>
<li>Mercenary Spyware</li>
<li>T-Mobile</li>
<li>US Electric Grid</li>
<li>Kherson Ukraine</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10733059452,original{{/staticFileLink}}">IR-22-210-002_weekly210.pdf</a></p></div>Russians Only: Ransomware Opportunityhttps://redskyalliance.org/xindustry/russians-only-ransomware-opportunity-22022-07-25T19:03:37.000Z2022-07-25T19:03:37.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10669951688,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10669951688,RESIZE_400x{{/staticFileLink}}" alt="10669951688?profile=RESIZE_400x" width="250" /></a>A new cross-platform ransomware named Luna can encrypt files on Windows, Linux, and ESXi, but its developers only offer it to Russian-speaking affiliates. The ransomware is fairly simple, according to researchers who analyzed the malware, but it uses an encryption scheme that is not typically used by ransomware a combination of X25519 elliptic curve Diffie-Hellman key exchange using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm. The Diffie-Hellman key exchange, also called an exponential key exchange, is a method of digital encryption that uses numbers raised to specific powers to produce decryption keys based on components that are never directly transmitted, making the task of a would-be code breaker mathematically overwhelming.</p>
<p>Luna, Russian for the moon, is developed in Rust, making it easy to port to different platforms and can also help evade static analysis. Luna further confirms the latest trend adopted by cybercrime gangs developing cross-platform ransomware that use languages like Rust and Golang to create malware capable of targeting multiple operating systems with little to no changes.</p>
<p>See: <a href="https://www.rust-lang.org/%C2%A0">https://www.rust-lang.org/ </a> and <a href="https://go.dev">https://go.dev</a></p>
<p>Investigators have reported that the Linux and ESXi samples are compiled using the same source code with minor changes from the Windows version. For example, if the Linux samples are executed without command line arguments, they will not run. Instead, they will display available arguments that can be used. The rest of the code has no significant changes from the Windows version.</p>
<p>While many ransomware developers are prepared to allow people from all around the world to use their creativity to make a profit, cybercrime forum posts advertising Luna say the malware is only available to Russian-speaking affiliates. Based on this and the mistakes in the English-language ransom note, the researchers assume that Luna was developed by Russian speakers.</p>
<p>After Russia launched its invasion of Ukraine, several Russian cybercrime groups started targeting organizations located in countries that oppose Russia’s actions, and some groups even openly expressed support for their government. It is not surprising that a Russian group wants to only work with local cybercriminals.</p>
<p>In addition, it is becoming increasingly common for ransomware to target ESXi servers. In May 2022, Trend Micro reported seeing Cheerscrypt, Linux-based ransomware apparently based on leaked Babuk source code.</p>
<p>The Black Basta ransomware, which emerged earlier this year and has been linked to the Conti gang, has also targeted ESXi virtual machine images, as well as Linux systems. The recently emerged RedAlert ransomware has also targeted ESXi servers.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/new-black-basta-ransomware">https://redskyalliance.org/xindustry/new-black-basta-ransomware</a></p>
<p>Other new ransomware families that have been recently reported include Lilith, C/C++ console-based ransomware targeting 64-bit Windows devices, and 0mega, a new ransomware operation targeting enterprises since May 2022 and demanding millions of dollars in ransoms. Both are known for stealing data from victims' networks before encrypting their systems to support their double-extortion attacks.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that offers technical reports like this from our friends at Microsoft. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Weekly Cyber Intel Report - All Sector 07 01 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-07-01-20222022-07-01T15:33:27.000Z2022-07-01T15:33:27.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10614408283,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10614408283,RESIZE_400x{{/staticFileLink}}" width="250" alt="10614408283?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 1 July 2022:</h2>
<ul>
<li>Red Sky Alliance identified 40,622 connections from new IP’s checking in with our Sinkholes</li>
<li>MS hit 45 x – 2<sup>nd</sup> week</li>
<li>Analysts identified 1,801 new IP addresses participating in various Botnets</li>
<li>DeadLocker</li>
<li>Symbiote</li>
<li>Killnet</li>
<li>СПИСОК_посилань_на_інтерактивні_карти[.]docx</li>
<li>Apple, Google and theUS FTC</li>
<li>Guns and California Data Hacks</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10614408486,original{{/staticFileLink}}">IR-22-182-001_weekly182.pdf</a></p></div>Full Scale Cyber Warhttps://redskyalliance.org/xindustry/full-scale-cyber-war2022-06-18T15:20:40.000Z2022-06-18T15:20:40.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10579688677,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10579688677,RESIZE_400x{{/staticFileLink}}" width="250" alt="10579688677?profile=RESIZE_400x" /></a>Ever since the beginning of the Internet Age, the potential to weaponize digital technologies as tools of international aggression has been known. This was exposed by Russia’s 2007 cyber-attack on Estonia, which was widely recognized as the first such act by one state against another. In 2016, NATO officially recognized cyberspace as a field of military operations alongside the more traditional domains of land, sea and air.</p>
<p>The current Russia-Ukraine War demonstrates the next major milestone in our rapidly developing understanding of cyber security. It is now becoming increasingly apparent that the invasion unleashed by Vladimir Putin on 24 February is the world’s first full-scale cyberwar. It will take many years to fully digest the lessons of this landmark conflict and assess the implications for the future of international security. However, it is already possible to draw several preliminary conclusions that have consequences for individuals, organizations and national governments around the world.</p>
<p>The current war has confirmed that while Russian hackers often exist outside of official state structures, they are highly integrated into the country’s security apparatus and their work is closely coordinated with other military operations. Much as mercenary military forces such as the Wagner Group are used by the Kremlin to blur the lines between state and non-state actors, hackers form an unofficial but important branch of modern Russia’s offensive capabilities.</p>
<p>One month before the current invasion began, hackers hit Ukraine with a severe cyber-attack designed to weaken government structures and prepare the ground for the coming offensive. Critical infrastructure was targeted along with private data in a bid to undermine Ukraine’s ability to defend itself.</p>
<p>Again and again during the first few months of the conflict, we have witnessed the coordination of cyber operations with more conventional forms of warfare. On one entirely typical occasion, a cyber-attack on the Odesa City Council in southern Ukraine was timed to coincide with cruise missile strikes against the city. </p>
<p>Just as the Russian army routinely disregards the rules of war, Russian hackers also appear to have no boundaries regarding legitimate targets for cyber-attacks. Popular targets have included vital non-military infrastructure such as energy and utilities providers. Hospitals and first responders have been subjected to cyber-attacks designed to disrupt the provision of emergency services in the immediate aftermath of airstrikes. As millions of Ukrainian refugees fled the fighting during the first month of the war, hackers attacked humanitarian organizations.</p>
<p>Individuals are also targets. Every Ukrainian citizen is potentially at risk of cyber-attack, with hacked personal data providing the Russian security services with opportunities to gain backdoor access to Ukrainian organizations and identify potential opponents or prepare tailored propaganda campaigns.</p>
<p>The scale of the cyber warfare currently being conducted against Ukraine is unprecedented but not entirely unexpected. Large-scale attacks began during the 2013-14 Euromaidan protests and initially enjoyed considerable success. This was followed by more ambitious attempts to hack into the Ukrainian electricity grid and spark power blackouts. Then came the Petya and NotPetya international cyber-attacks of 2016-17, which centered on Ukraine and caused huge global disruption.</p>
<p>It is clear that Russia’s current cyber offensive involves cybercriminals working in cooperation with military personnel while enjoying access to official intelligence data. This approach is relatively cheap, with cybercriminals often able to finance their operations using standard cyber fraud techniques. The idea of collaboration between the state and criminal elements is also nothing new. However, it is noteworthy that in this case, the state in question has a permanent seat on the United Nations Security Council.</p>
<p>Perhaps the single most important outcome of the cyberwar so far is that we now have a much better picture of the enemy. We are able to see the threats posed by Russia and also assess Moscow’s limitations. Just as naval threats are countered by missiles and mines, cyber security is achievable given sufficient knowledge and resources.</p>
<p>Ukraine has come under unprecedented cyber-attack on a daily basis for more than a quarter of a year, but the Ukrainian authorities have managed to maintain basic utility services for the vast majority of the country. Even more striking is the fact that mobile communications and internet connection disruption has been minimal. In many instances, Ukrainians have been able to access online information while under Russian bombardment.</p>
<p>One key lesson from the past few months is the need for everyone to take responsibility for their own cyber security. This applies to individuals and organizations alike. Neglecting cyber security risks creating weak links in wider systems which can have disastrous consequences for large numbers of people. Likewise, businesses should not rely on the state to take care of cyber security and should be prepared to invest in sensible precautions. This can no longer be viewed as an optional extra.</p>
<p>International cooperation is also vital for strong cyber security. Ukraine has received invaluable support from a number of partner countries while sharing its own experience and expertise. Much as the internet itself does not recognize national boundaries, the most successful cyber security efforts are also international in nature.</p>
<p>The Russian invasion of Ukraine has underlined the expansion of the modern battlefield to include almost every aspect of everyday life. The rise of the internet and the increasing ubiquity of digital technologies means that virtually anything from water supplies to banking services can and will be weaponized.</p>
<p>For years, the Kremlin has been developing the tools to carry out such attacks. The international community was slow to recognize the true implications of this strategy and is now engaged in a desperate game of catchup. The war in Ukraine has highlighted the military functions performed by hackers and the centrality of cyber-attacks to modern warfare. Restricting Russian access to modern technologies should therefore be viewed as an international security priority.</p>
<p>The Russo-Ukrainian War is the world’s first full-scale cyberwar but it will not be the last. On the contrary, all future conflicts will have a strong cyber component. In order to survive, cyber security will be just as important as maintaining a strong conventional military.</p>
<p>Author Yurii Shchyhol is head of Ukraine’s State Service of Special Communications and Information Protection.<a href="#_ftn1">[1]</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p> Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/550422929596774298</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.stopfake.org/en/vladimir-putin-s-ukraine-invasion-is-the-world-s-first-full-scale-cyberwar/">https://www.stopfake.org/en/vladimir-putin-s-ukraine-invasion-is-the-world-s-first-full-scale-cyberwar/</a></p></div>Starlink to the Rescuehttps://redskyalliance.org/xindustry/starlink-to-the-rescue-12022-05-16T18:31:59.000Z2022-05-16T18:31:59.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10491226470,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10491226470,RESIZE_400x{{/staticFileLink}}" width="250" alt="10491226470?profile=RESIZE_400x" /></a>Tesla Inc. CEO Elon Musk said SpaceX’s high-speed Internet service, Starlink, has held out against Russia’s cyberwar tactics amid the country’s ongoing invasion of Ukraine. </p>
<p><strong>What Happened</strong> - Musk said last week that Starlink has resisted Russia’s “jamming & hacking attempts,” even as the Vladimir Putin-led country is ramping up efforts. Musk linked his comment to a Reuters report that said Russia was behind a massive cyberattack against a satellite internet network that took tens of thousands of modems offline at the onset of the war.</p>
<p><strong>Why It Matters</strong> - SpaceX has donated thousands of satellite internet kits to Ukraine since the country’s plea to Musk in February to provide those stations. Ukrainian Vice Prime Minister earlier this month said Starlink has around 150,000 active users per day. The service beams down high-speed internet via satellites in orbit to Earth, especially to remote areas, including those ravaged by war or natural calamity. Musk was reportedly close to commercially launching Starlink in Ukraine months ahead of Russia’s invasion. Starlink has plans to launch 4,425 satellites in orbit by 2024.</p>
<p>Musk has said that the chief of Russia’s space agency threatened him with consequences for providing Starlink internet terminals to Ukrainian forces.<a href="#_ftn1">[1]</a> “Elon Musk, thus, is involved in supplying the fascist forces in Ukraine with military communication equipment,” Dmitry Rogozin, head of Russia’s space agency Roscosmos, said in a message to Russian media, according to a translation provided by Musk. “And for this, Elon, you will be held accountable like an adult—no matter how much you’ll play the fool.” Musk commented on the exchange with a dose of dark humor, saying in a tweet, “If I die under mysterious circumstances, it’s been nice knowin ya.” Rogozin posted the series of messages on his Telegram channel, including Musk’s joke.</p>
<p>Days after Russia’s invasion of Ukraine in late February, Musk announced that SpaceX’s Starlink, a satellite broadband service, began providing Internet to Ukrainians. While Starlink delivered an information lifeline to darkened swaths of the war-torn country, including to hundreds of hospitals and clinics, it also served as a link to enable Ukrainian military drones to target Russian tanks and positions more effectively. </p>
<p>A Ukrainian soldier identified as Dima, whose last name was withheld for security reasons, told journalists that “Starlink is what changed the war in Ukraine’s favor. Russia went out of its way to blow up all our comms. Now they can’t. Starlink works under Katyusha fire, under artillery fire. It even works in Mariupol.”</p>
<p>While it’s unclear how crucial Starlink has been to Ukraine’s military efforts, a report in the British news outlet The Telegraph suggested Musk’s technology was helping Ukraine “win the drone war.”</p>
<p>Shortly after Musk’s announcement regarding supplying Ukraine with Starlink, Rogozin issued a strongly worded statement similar in tone to the one that prompted Musk to suggest his life is under threat. “This is the West that we should never trust. When Russia implements its highest national interests on the territory of Ukraine, Elon Musk appears with his Starlink which was previously declared as purely civilian,” Rogozin said. “I warned about it, but our ‘muskophiles’ said he is the light of world cosmonautics. Here, look, he has chosen the side.”</p>
<p>‘Restoring the Destroyed Territories’ - Starlink uses thousands of small satellites in orbit about 340 miles above the Earth’s surface to beam down high-speed internet, especially to remote areas, including ones hit by natural calamities or ravaged by war. As the Russia–Ukraine conflict entered its 70th day on 2 May, Ukraine’s Vice Prime Minister revealed the number of users that are relying on Starlink. “Rough data on Starlink’s usage: around 150K active users per day. This is crucial support for Ukraine’s infrastructure and restoring the destroyed territories,” Ukraine’s authorities wrote in a post on Twitter.</p>
<p>While a number of platforms have taken action against Russian media outlets in the wake of the invasion, Musk has said that his company would not follow. “Starlink has been told by some governments (not Ukraine) to block Russian news sources. We will not do so unless at gunpoint,” Musk wrote in a post on Twitter. “Sorry to be a free speech absolutist.”</p>
<p>Musk has embarked on a free speech crusade of sorts, seeking to buy Twitter, reform what he is described as the platform’s opaque moderation policies, and transform the social media giant into an “inclusive arena for free speech.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and wish to share cyber security views from across the Globe. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://link.theepochtimes.com/mkt_app/elon-musk-threatened-by-russias-space-agency-chief-over-starlink-in-ukraine_4454210.html/">https://link.theepochtimes.com/mkt_app/elon-musk-threatened-by-russias-space-agency-chief-over-starlink-in-ukraine_4454210.html/</a></p></div>Pandas Attacking Bears ?https://redskyalliance.org/xindustry/pandas-attacking-bears2022-05-04T21:45:23.000Z2022-05-04T21:45:23.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10464656892,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10464656892,RESIZE_400x{{/staticFileLink}}" width="250" alt="10464656892?profile=RESIZE_400x" /></a>When one of your enemies begins attacking another one of your other enemies, does this mean that your first enemy is now an ally? I will let the philosophers answer this question. A China-linked state-sponsored cyberespionage group has started targeting the Russian military in recent attacks, which aligns with China’s interests in the Russia-Ukraine war. Tracked as Mustang PANDA, Bronze President, RedDelta, HoneyMyte, Red Lichand TA416, the government-backed hacking group previously focused mainly on the Southeast Asian region, with some attacks targeting Europe and the United States.</p>
<p>This threat actor targets non-governmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, researchers observed a previously unattributed actor group with a Chinese nexus targeting a US-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia.</p>
<p>These campaigns involve the use of shared malware like <u>Poison Ivy</u> or <u>PlugX</u>. Recently, analysts observed new activity from Mustang PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, Mustang PANDA actors reused previously-observed legitimate domains to host files.</p>
<p>Over the past several months, however, in line with the escalating tensions between Russia and Ukraine, Mustang PANDA switched to targeting European diplomats with an updated variant of the PlugX backdoor. A recently captured malicious file shows that Mustang Panda has started targeting Russian military personnel close to the Chinese border.</p>
<p>The malicious file has the Russian name of “Blagoveshchensk - Blagoveshchensk Border Detachment,” which uses a PDF icon for credibility, but has an EXE extension. Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.</p>
<p>When launched, the malicious file fetches four files from a staging server, including a decoy document written in English, a legitimate executable from UK-based Global Graphics Software Ltd, a malicious DLL downloader, and an encrypted payload, which the researchers believe is the PlugX malware. The decoy document, which appears legitimate, discusses the current situation in countries around Belarus (Lithuania, Latvia, and Poland), as well as the sanctions that the European Union (EU) has imposed on Belarus starting in March 2022.</p>
<p>Investigators point out that the remaining three files are typically used by Mustang PANDA to execute PlugX on the victim’s machine, via DLL search order hijacking. Once installed on a victim’s machine, PlugX allows attackers to harvest and exfiltrate sensitive information, download and upload files, and execute a remote command shell.</p>
<p>The staging server of the malicious file connects to what was previously used in attacks on European diplomats, as well as in another campaign attributed to the cyberespionage group, which can also be linked to Mustang PANDA activity from 2020. Bronze President appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. […] Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has been tracking both Chinese and Russian hackers for years. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>APTs on a Power Triphttps://redskyalliance.org/xindustry/apts-on-a-power-trip2022-04-19T18:14:09.000Z2022-04-19T18:14:09.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10401512465,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10401512465,RESIZE_400x{{/staticFileLink}}" width="250" alt="10401512465?profile=RESIZE_400x" /></a>The Sandworm Group, a Russian based APT, which recently made headlines after their botnet of machines infected with Cyclops Blink malware, was taken down by the US Department of Justice, has been busy crafting attacks targeting the Ukrainian power grid. The Computer Emergency Response Team of Ukraine (CERT-UA), had to step in and take action to thwart the attack on the country’s energy facilities. Blame for the attack has been placed on Sandworm in support of Russian military actions in Eastern Ukraine. The Slovakian cybersecurity firm, ESET, stated that Russian attacks on the Ukrainian power grid attempted to cause a blackout that would affect two million people.</p>
<p>The attackers attempted to destroy computers using wiper malware that was crafted to infect specific targets and erase data making the machines useless. Multiple strains of wiper malware have been used in attacks against Ukraine since the beginning of the conflict, however, the wiper malware used in the power grid attacks is a new variant.</p>
<p>The new wiper malware called CaddyWiper, was first observed on 14 March 2022, and differs from the HermeticWiper and IsaacWiper because it does not destroy domain controllers. Researchers from ESET believe that this is because attackers want to maintain access to target systems to further disrupt operations.<a href="#_ftn1">[1]</a></p>
<p>CaddyWiper operates in two primary stages. The first stage overwrites all files on the machines disk, and the second stage destroys the disk layout and partition tables. Most wiper malware delete or destroy the start files to prevent file recovery. In an event that a target file is greater than 10 Megabytes, CaddyWiper only destroys the first 10 megabytes. The wiper malware starts with the “C:\Users” drive and works all the way to the “Z:\” if it exists. IBM Security X-Force has provided both a Yara signature and Indicators of Compromise to identify CaddyWiper, they are pictured below.<a href="#_ftn2">[2]</a><a href="{{#staticFileLink}}10401517678,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10401517678,RESIZE_584x{{/staticFileLink}}" width="420" alt="10401517678?profile=RESIZE_584x" /></a><a href="#_ftn2"></a><a href="{{#staticFileLink}}10401518260,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10401518260,RESIZE_584x{{/staticFileLink}}" width="420" alt="10401518260?profile=RESIZE_584x" /></a><a href="#_ftn2"></a><a href="#_ftn2"></a><a href="{{#staticFileLink}}10401520876,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10401520876,RESIZE_584x{{/staticFileLink}}" width="420" alt="10401520876?profile=RESIZE_584x" /></a><a href="{{#staticFileLink}}10401521279,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10401521279,RESIZE_584x{{/staticFileLink}}" width="420" alt="10401521279?profile=RESIZE_584x" /></a>According to CERT-UA, CaddyWiper was supposed to wipe data from Windows machines and malicious scripts including ORCSHRED, SOLOSHRED, and AWFULSHRED, were set to disrupt and wipe data on Linux servers.</p>
<p>This is not the first time that Russia has used cyber attacks on the Ukrainian power grid. Russian hackers were able to successfully cause blackouts in Kyiv in 2016 using the original Industroyer malware marking one of the first recorded critical infrastructure cyber attacks and resulted in blackouts that last over and hour.<a href="#_ftn3">[3]</a></p>
<p>The Sandworm team used a revamped version of Industroyer called Industroyer2, which directly interacts with the electrical equipment and sends commands to substations to control the flow of power. Researchers believe that the attackers were able to access systems at a regional Ukrainian energy firm and plant the malware as early as February 2022, but the attack was detected and mitigated before any blackouts occurred.<a href="#_ftn4">[4]</a> The Industroyer2 code shares the same source code as the original but is highly configured with hard coded target IP addresses, meaning that it must be recompiled for new targets and environments.</p>
<p>Russian attackers were successful in penetrating and disrupting part of the industrial control system, but ultimately were stopped when Ukrainian workers intervened and prevented electrical outages. Industroyer2 tasks were scheduled for 8 April 2022, followed by wiping procedures 10 minutes after. The attack plan was to disrupt power distribution and then wipe the machines prolonging recovery.</p>
<p>The escalation of attacks in Ukraine has prompted a Cybersecurity & Infrastructure Security Agency (CISA) <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-103a">alert</a> warning critical infrastructure organizations that Advanced Persistent Threats (APTs) have created tools targeting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices. APTs are using tools to scan ICS/SCADA devices for vulnerabilities that, once exploited, will allow attackers access to the Operational Technology (OT) network.</p>
<p>The revamp of Industroyer2, development of new wiper malware, CaddyWiper, and the recent discovery of <a href="https://redskyalliance.org/xindustry/new-scada-malware-for-the-holiday-weekend">PIPEDREAM</a>, means it is time for domestic energy companies to look hard at their security practices and prepare to defend against a new wave of sophisticated ICS/SCADA attacks.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html">https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/">https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://news.sky.com/story/ukraine-prevents-new-russian-cyber-attack-targeting-electricity-grid-but-warns-more-may-be-on-the-way-12588592">https://news.sky.com/story/ukraine-prevents-new-russian-cyber-attack-targeting-electricity-grid-but-warns-more-may-be-on-the-way-12588592</a></p>
<p><a href="#_ftnref4">[4]</a> <a href="https://www.ironnet.com/blog/industroyer2-malware-targeting-ukrainian-energy-company">https://www.ironnet.com/blog/industroyer2-malware-targeting-ukrainian-energy-company</a></p></div>