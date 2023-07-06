Last week, a new hacking group took responsibility for the taking down of a Russian telecom satellite, which we interpreted as an expansion of the tactical activity (brought on by the instability in Russia) by Advanced Persistent Threats (APTs) and non-state cyber actors on all sides of the multi-sided hybrid conflict in Europe. The following cyber incidents in the last week are consistent with a pattern of an increase in cyber attacks related to the Ukrainian conflict.

Russian railway site was allegedly taken down by Ukrainian hackers (July 5, 2023)

“Cyberattacks targeting railways…hinder the transfer of Russian troops into Belarus for military exercises.”

The Russian state-owned railway company RZD said Wednesday that its website and mobile app were down for several hours due to a “massive” cyberattack, forcing passengers to only buy tickets at railway stations.

Cyberattacks targeting railways can greatly disrupt a country’s logistics. Last year, a cyberattack on the Belarusian state railway crippled its network, allegedly hindering the transfer of Russian troops into Belarus for military exercises. The Belarusian hacktivist collective Cyber Partisans, which claimed responsibility for the attack, said that some trains stopped running after hackers compromised the railway system’s routing and switching devices and rendered them inoperable by encrypting data stored on them. (1)

Belarusian hacktivists сlaim to breach the country’s leading state university (July 5, 2023)

“…are you sure you want to play this game with us? You’d better beg the dictator to release political prisoners.”

The Belarusian hacker group known as the Cyber Partisans is claiming an attack on the country’s largest state-owned university. The Belarusian State University (BSU) is located in the capital city of Minsk and has over 44,800 students.

The university denied any cyberattack and attributed the system’s downtime to technical issues. Officials also claimed that the photos and screenshots shared by the hackers were fake and photoshopped.

“We have over 3 terabytes of data from your servers—are you sure you want to play this game with us? You’d better beg the dictator to release political prisoners,” the hackers said. (2)

Pro-Russian hackers upgrade DDoSia bot used to attack Ukraine, NATO countries

“Sekoia only observed one incident when the group attacked a single victim — Russia’s Wagner private mercenary army during its attempted military coup in June.”

The DDoSia project by pro-Russian hackers has seen significant growth this year as attackers continue to use the technology against countries critical of Russia’s invasion of Ukraine.

DDoSia is a distributed denial-of-service attack toolkit developed and used by the pro-Russia hacktivist group NoName057(16).

The group and its followers are actively deploying the tool against government agencies, media, and private companies in Lithuania, Ukraine, Poland, Italy, and other European countries, according to a report released by cybersecurity company Sekoia this week.

allegedly to maximize the media coverage of their DDoS operation, Sekoia said. The group typically targets 15 different victims per day. Sekoia only observed one incident when the group attacked a single victim — Russia’s Wagner private mercenary army during its attempted military coup in June. DDoS attacks are designed to overwhelm network resources with traffic to effectively take them offline. (3)

Technical Details

“DDoSia is distributed through a fully-automated process on Telegram that allows…for…crowdsourcing…in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolit.”

The updated variant, written in Golang, “implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users,” cybersecurity company Sekoia said in a technical write-up.

What’s noteworthy about the new version is the use of encryption to mask the list of targets to be attacked, indicating that the tool is being actively maintained by the operators.

“NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims,” Sekoia said. (4)

Source: Sekoia

Telegram communications

“It is highly likely we will observe further developments in the short term…”

The DDoSia project was launched in early 2022, reaching 10,000 followers on its Telegram channel. The administrators of the group, as well as community members, are very active, according to Sekoia. The group regularly posts messages about successful attacks.

For example, they want to make their malware compatible with multiple operating systems to reach more targets. “It is highly likely we will observe further developments in the short term,” the researchers said. (3)

What Next? Increased DoS and DDoS Attacks

“CISA’s latest advisory has also not gone unnoticed…”