X-Industry

As part of a recently identified cyber operation, the cybersecurity investigators report that a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12.  The event takes place in Vilnius, Lithuania.  The NATO Summit has on the agenda talks focusing on the war in Ukraine and new memberships in the organization, including Sweden and Ukraine.

RomCom attackers are spoofing trusted software solutions t

Researchers have uncovered malware designed to disrupt electric power transmission that may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids.

Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of Russia’s most skilled and cutthroat hacking groups.  Sand

Several Polish media and news websites were hit by distributed denial-of-service (DDoS) attacks that the government said could be the action of Russian hacking groups, the digitalization minister was quoted as saying on 18 May.  Warsaw has positioned itself as one of Ukraine's staunchest allies since Russia invaded the country, and Poland says it frequently faces Russian attempts to destabilize the situation in the country.  Moscow has consistently denied that it carries out hacking operations.

The risk of a cyber-attack is the “main worry” for broadcasters staging the Eurovision song contest on behalf of war-torn Ukraine, a BBC executive has said.  Experts from the UK’s National Cyber Security Centre have been drafted in to help thwart any attempts by pro-Russian hackers to sabotage the competition’s public vote on Saturday.

The UK’s BBC director of unscripted programs, said there was no specific intelligence about an attack but that there were “so many contingency plans” in place if

An information and hacking campaign, called Ghostwriter, with links to a foreign state has potentially had a "significant cumulative impact" over many years, according to a report from Cardiff University.  The findings, from the Security, Crime and Intelligence Innovation Institute, provide the most comprehensive picture to date of the activities of the so-called Ghostwriter campaign.

Tracking its evolving activities via open-source data, the report demonstrates how it has impersonated multiple

The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims.  SentinelOne said it observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on 26 December 2022.  Clop has existed since about 2019, targeting large companies, financial institutions, primary schools and critical infrastructure across the world. After the group targeted several major South Korean companies like e-commerce giant E

The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims.  SentinelOne said it observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on 26 December 2022.  Clop has existed since about 2019, targeting large companies, financial institutions, primary schools and critical infrastructure across the world. After the group targeted several major South Korean companies like e-commerce giant E

According to trusted government sources, there is an increasing focus on US Cyber Command (CYBERCOM) to try and replicate the ability of the US Special Operations Command (SOCOM), the unified combatant command with the mission of overseeing the elements of the special operations in the US Armed Services to bring capabilities directly into the battlespace.  At a recent meeting, the chief of CYBEROM is quoted as saying that the command is “trying to build our authorities much in the same way Speci

The Russian invasion of Ukraine in early 2022 appears to have led to a double-digit decrease in stolen payment card records published to the dark web, according to researchers.

In a recent report, investigators analyzed detailed threat intelligence gleaned from the cybercrime underground to compile a report.  It reported a 24% year-on-year decrease in the volume of card-not-present records on dark web carding shops in 2022 to 45.6 million and a 62% slump in card present records, to 13.8 million.

Activity Summary - Week Ending on 14 October 2022:

• Red Sky Alliance identified 26,570 connections from new IP’s checking in with our Sinkholes
• Netskope IAD hit 56x
• Analysts identified 556 new IP addresses participating in various Botnets
• Bisamware and Chile Locker
• njRat, a.k.a. Bladabindi
• Emotet 2022
• Singtel
• Pinnacle Hack
• Ukraine War
• Optus Part II

Link to full report:  IR-22-288-001_weekly288.pdf

Our friends at FortiGuard Labs have observed an increasing number of campaigns targeting either side of the ongoing Russian-Ukrainian conflict.  These may be a cyber element to the conflict or simply opportunistic threat actors taking advantage of the war to further their malicious objectives.  Recently, researchers encountered a malicious Excel document masquerading as a tool to calculate salaries for Ukrainian military personnel.  The shared practical report discusses the technical details of

Just what is for sale on the Dark Web?  According to a published report, the North Atlantic Treaty Organization (NATO) is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web.  The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.  Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache b

The Ukrainian energy agency responsible for the oversight and safe operation of the nation’s nuclear power plants said earlier this week that Russian hackers had launched their most ambitious effort yet on the company’s official website.  The attack appeared to fail and there was no indication that it threatened to disrupt the Ukrainian power grid or the company’s oversight of the nation’s 15 working  nuclear reactors.

The company, Energoatom,[1] said it had managed to keep the attack from being

Even in the middle of a war, Ukrainian law enforcers claim to have dismantled a large bot farm used by Russian special services to spread disinformation and propaganda in the country.  The Secret Service of Ukraine (SSU) said the million-strong bot farm was used to “spin destabilizing content” on the country’s military and political leadership to an audience of over 400,000.

This included fake news on the situation at the front, an alleged conflict between the President’s Office and the commande

Activity Summary - Week Ending on 29 July 2022:

• Red Sky Alliance identified 25,992 connections from new IP’s checking in with our Sinkholes
• Hetzner 10x
• Analysts identified 309 new IP addresses participating in various Botnets
• Ransomware UpDate
• Adversary-in-the-Middle - AiTM
• South Africa under Attack
• Mercenary Spyware
• T-Mobile
• US Electric Grid
• Kherson Ukraine

Link to full report: IR-22-210-002_weekly210.pdf

A new cross-platform ransomware named Luna can encrypt files on Windows, Linux, and ESXi, but its developers only offer it to Russian-speaking affiliates.  The ransomware is fairly simple, according to researchers who analyzed the malware, but it uses an encryption scheme that is not typically used by ransomware a combination of X25519 elliptic curve Diffie-Hellman key exchange using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm.  The Diffie-Hellman key ex

Activity Summary - Week Ending on 1 July 2022:

• Red Sky Alliance identified 40,622 connections from new IP’s checking in with our Sinkholes
• MS hit 45 x – 2^nd week
• Analysts identified 1,801 new IP addresses participating in various Botnets
• DeadLocker
• Symbiote
• Killnet
• СПИСОК_посилань_на_інтерактивні_карти[.]docx
• Apple, Google and theUS FTC
• Guns and California Data Hacks

Link to full report: IR-22-182-001_weekly182.pdf

Ever since the beginning of the Internet Age, the potential to weaponize digital technologies as tools of international aggression has been known.  This was exposed by Russia’s 2007 cyber-attack on Estonia, which was widely recognized as the first such act by one state against another.  In 2016, NATO officially recognized cyberspace as a field of military operations alongside the more traditional domains of land, sea and air.

The current Russia-Ukraine War demonstrates the next major milestone i

Tesla Inc. CEO Elon Musk said SpaceX’s high-speed Internet service, Starlink, has held out against Russia’s cyberwar tactics amid the country’s ongoing invasion of Ukraine. 

What Happened - Musk said last week that Starlink has resisted Russia’s “jamming & hacking attempts,” even as the Vladimir Putin-led country is ramping up efforts.  Musk linked his comment to a Reuters report that said Russia was behind a massive cyberattack against a satellite internet network that took tens of thousands of

When one of your enemies begins attacking another one of your other enemies, does this mean that your first enemy is now an ally?   I will let the philosophers answer this question.  A China-linked state-sponsored cyberespionage group has started targeting the Russian military in recent attacks, which aligns with China’s interests in the Russia-Ukraine war.  Tracked as Mustang PANDA, Bronze President, RedDelta, HoneyMyte, Red Lichand TA416, the government-backed hacking group previously focused