OODA Loop

Understand tomorrow, today.

Cyber Attacks by Non-State Actors Continue Astride in Europe

Archive, OODA Original, Security and Resiliency / by

In an update to our recent analysis of the continued expansion of cyber incidents by non-state actors in the war in Europe, the following is a sampling of the most recent, attributed, known major cyber incidents and non-state actor cyber activity (mainly centered around the conflict in Ukraine) of the last two months. 

July 2023

Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies

The China-linked cyberspy group APT31 is believed to be behind a data-theft campaign targeting industrial organizations in Eastern Europe.

Cybersecurity firm Kaspersky observed a new APT31 campaign targeting industrial organizations in Eastern Europe. APT31, also known as Zirconium, Judgement Panda, Bronze Vinewood, and Red Keres, is strongly linked to the Chinese government.


OODA Loop Sponsor

The attacks occurred in 2022, and Kaspersky recently concluded its investigation. Instead of attacking industrial control systems, the hackers sought to establish permanent data-theft channels through malware-infected removable drives. The group used two variants of malware, FourteenHi and MeatBall. The first is capable of uploading or downloading files, running commands, and initiating reverse shells. The second establishes extensive remote access capabilities. Kaspersky’s report includes indicators of compromise, technical details, and an overview of the tactics APT31 employed during this campaign. (1)

Ukrainian Policy Bust Up Russian Bot Farm

Confiscated SIM cards. Image: Ukraine Cyber Police (Image Source:  The Record

A summary from The Record on a Russian bot farm pushing out kompromat: 

“Ukraine‘s Cyber Police shut down yet another bot farm that was reportedly spreading disinformation about the war in Ukraine on social media, just one month after a similar illicit operation was raided in west-central Ukraine. Here’s what you need to know:

  1. The Ukrainian Cyber Police shut down a significant bot farm reportedly spreading disinformation about the war in Ukraine via social media. This comes as another such operation was stopped just a month prior. Over 100 individuals were involved in creating fake accounts through approximately 150,000 SIM cards provided by various mobile operators.
  2. The bot farm was implicated in several illegal activities, such as justifying Russian military actions in Ukraine, propagating unlawful content, committing internet fraud, and even illegally sharing private data of Ukrainian citizens. To remunerate the people running the bot farms, payments were reportedly made in Russian rubles and then converted to cryptocurrency using sanctioned payment systems like WebMoney and PerfectMoney.
  3. The Ukrainian Cyber Police have increased their efforts in combating cybercrime. During their investigation, 21 searches were conducted that resulted in the seizure of computer equipment, mobile phones, and SIM cards. These cybercrimes, which include unauthorized interferences in information and electronic communication networks, are severely penalized under Ukrainian law and could lead to imprisonment.” (2)

Turla is at it…Again 

A summary from The Record on Turla-led Russian espionage efforts via malware:  

The Russian hacking group Turla is attacking Ukrainian defense forces with spying malware, according to new research from the country’s computer emergency response team (CERT-UA). Here’s what you need to know:

  1. The Russian cyberespionage group, Turla, synonymous with Waterbug and Venomous Bear, is reportedly targeting Ukrainian defense forces with Capibar and Kazuar spyware. The group uses Capibar to compromise Microsoft Exchange servers, transforming them into malware control centers, while Kazuar acts as a backdoor to extract sensitive authentication information from victims’ computer systems.
  2. These attacks involve manipulation through phishing tactics, where the users are sent malicious emails disguised as utility bills from Ukrainian energy companies. On opening these attachments, a PowerShell command is triggered, injecting the system with malware. However, the total number of successful hacks or the exact impact of the Turla‘s spyware remains undisclosed by the computer emergency response team of Ukraine (CERT-UA).
  3. Last year, Turla was found to have taken over a cybercriminal botnet for access into the victims’ systems. This was discovered by Mandiant, a cybersecurity firm owned by Google, when it noted a user in Ukraine unintentionally causing their system to be infected with an old banking trojan, Andromeda after inserting a USB drive, and followed by two tools linked to Turla getting downloaded and installed.  (2b)

Ukrainian State Services Targeted by Armageddon

“The Moscow-linked hacking group known as Armageddon remains one of the most active and dangerous threat actors targeting Ukraine during its war with Russia, according to recent research. Here’s what you need to know:

  1. The Moscow-linked hacking group Armageddon continues to pose a significant cyber threat to Ukraine, with a heightened level of activity noted this year. The group is primarily focused on cyberespionage operations against Ukrainian security and defense services and has been linked to destructive cyberattacks on information infrastructure.
  2. Armageddon has continuously been enhancing its tactics and tools to evade detection by security services. For instance, it uses USB infection techniques to infiltrate more computers within a network. The group primarily employs phishing emails and messages on compromised accounts to gain unauthorized access. Upon successful infiltration, they proceed to extract files swiftly using the GammaSteel malware.
  3. Despite its lack of technical sophistication, Armageddon‘s focused approach contributes to its threatening nature. The hackers tend to compromise individual computers in a targeted organization, offering persistence in their attacks which compensates for their lack of technical skills. Furthermore, the group‘s use of platforms like Telegram for communication can help them stay undetected, making it challenging for the defense to identify such malicious activities.”  (2c)

June 2023

Russia-affiliated Shuckworm Intensifies Cyber-Attacks on Ukraine

The Shuckworm espionage group, believed to be linked to the Russian FSB, has intensified cyber-attacks on Ukraine, targeting military and security intelligence. The campaign involved phishing emails with malicious attachments, deploying backdoors and tools, and spreading custom malware via USB drives. The group displayed persistence, updating its toolset and leveraging legitimate services for command-and-control infrastructure. To mitigate such attacks, organizations are advised to assess the risk of using USB devices, scan them with antivirus software, and educate users to identify and report phishing attempts. (3)

Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Microsoft has publicly identified a new APT group called Cadet Blizzard, associated with Russia’s GRU, which has carried out destructive cyber attacks in Ukraine using wiper malware. The group is linked to defacements of Ukrainian organization websites and the hack-and-leak Telegram channel “Free Civilian.” Microsoft has been tracking Cadet Blizzard since January 2022 and believes it has been operational since 2020, targeting government organizations and IT providers in Ukraine, Europe, and Latin America. The group maintains long-term access to compromised networks and exfiltrates data before launching disruptive attacks. Cadet Blizzard has received support from at least one Russian private sector organization. (4)

Pro-Russian hackers upgrade DDoSia bot used to attack Ukraine, NATO countries

“The DDoSia project by pro-Russian hackers has seen significant growth this year as attackers continue to use the technology against countries critical of Russia’s invasion of Ukraine. DDoSia is a distributed denial-of-service attack toolkit developed and used by the pro-Russia hacktivist group NoName057(16). The group and its followers are actively deploying the tool against government agencies, media, and private companies in Lithuania, Ukraine, Poland, Italy, and other European countries, according to a report released by cybersecurity company Sekoia [which] detected a total of 486 different websites impacted by DDoSia attacks. Among them are incidents involving Latvia’s parliament and Poland’s tax service.

NoName057(16) also targeted education-related websites during the exam period in Ukraine in May and June, allegedly to maximize the media coverage of their DDoS operation, Sekoia said.  The group typically targets 15 different victims per day. Sekoia only observed one incident when the group attacked a single victim — Russia’s Wagner private mercenary army during its attempted military coup in June. DDoS attacks are designed to overwhelm network resources with traffic to effectively take them offline.

Telegram communications

  • The DDoSia project was launched in early 2022, reaching 10,000 followers on its Telegram channel. The administrators of the group, as well as community members, are very active, according to Sekoia. The group regularly posts messages about successful attacks.
  • NoName057(16) also communicates about the project through its own Telegram channels, including one in Russian with over 45,000 subscribers, and a separate channel in English.
  • Volunteers who choose to participate in hacking campaigns are paid in cryptocurrency based on their contribution to DDoS attacks. Before launching the attack, the new members receive a .zip archive that contains the attack toolkit.
  • According to Sekoia, the NoName057(16) group continues to update the DDoSia project. For example, they want to make their malware compatible with multiple operating systems to reach more targets.” (5)

Pro-Ukraine hackers claim to take down Russian internet provider

“Pro-Ukrainian hacktivists have hit a Russian internet and telecommunications company used mostly by banks and online stores with a “massive” cyberattack.Infotel released a statement on its website…confirming that the cyber operation had hit its target:

‘We inform you that as a result of a massive hacker attack on the Infotel network, part of the network equipment was damaged,’ the company said. ‘Restoration work is currently underway. Additional deadlines for completing the work will be announced.’ As of the time of writing, some of the services listed on its website are still unavailable.

A group of pro-Ukrainian hacktivists calling themselves the Cyber Anarchy Squad claimed responsibility for the attack. ‘We have completely destroyed their infrastructure. There is nothing left alive. Let them try to restore it now, but their chances are as slim as finding an easy life in Russia,’ the hackers wrote on their Telegram channel. The Moscow-based company provides services to Russia’s Central Bank and connects it to local banks, financial companies, and online stores. The attack may cause issues for Russian businesses in accessing banking systems and making payments, hackers said.  Aside from disrupting Infotel services, the hackers claim to have accessed certain intelligence, including a list of customers and their email correspondences.” (6)

The Continued Expansion of Cyber Incidents by Non-State Actors in the War in Europe

About Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.