Cyber warfare | Breaking Cybersecurity News | The Hacker News

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters . The incident took place on the night of October 7, VGTRK confirmed , describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally despite attempts to interrupt radio and TV broadcasts. That said, Russian media outlet Gazeta.ru reported that the hackers wiped "everything" from the company's servers, including backups, citing an anonymous source. A source told Reuters that "Ukrainian hackers 'congratulated' Putin on his birthday by carrying out a large-scale attack on the all-Russian state television and radio broadcasting company." The attack is believed to be the work of a pro-Ukrainian hacker group called Sudo rm-RF . The Russian government has since said an investi

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis. "The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit." The hacking group, believed to have been formed in April 2023 following the onset of the Russo-Ukrainian war, has a track record of mounting cyber attacks that aim to cripple victim networks and disrupt business operations. It has also been observed conducting hack-and-leak operations that exfiltrate sensitive information, which is then shared on its Telegram channel. Kaspersky said Twelve shares infrastructural and tactical overlaps with a ransomware group called DARKSTA

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig . The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS). Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft. The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities t

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new phishing attacks that aim to infect devices with malware. The activity has been attributed to a threat cluster it tracks as UAC-0020, which is also known as Vermin . The exact scale and scope of the attacks are presently unknown. The attack chains commence with phishing messages with photos of alleged prisoners of war (PoWs) from the Kursk region, urging recipients to click on a link pointing to a ZIP archive. The ZIP file contains a Microsoft Compiled HTML Help (CHM) file that embeds JavaScript code responsible for launching an obfuscated PowerShell script. "Opening the file installs components of known spyware SPECTR, as well as the new malware called FIRMACHAGENT," CERT-UA said. "The purpose of FIRMACHAGENT is to retrive the data stolen by SPECTR and send it to a remote management server." SPECTR is a known malware linked to Vermin as far back as 2019. The group is assessed to be

The Russian government and IT organizations are the target of a new campaign that delivers a number of backdoors and trojans as part of a spear-phishing campaign codenamed EastWind . The attack chains are characterized by the use of RAR archive attachments containing a Windows shortcut (LNK) file that, upon opening, activates the infection sequence, culminating in the deployment of malware such as GrewApacha, an updated version of the CloudSorcerer backdoor, and a previously undocumented implant dubbed PlugY. PlugY is "downloaded through the CloudSorcerer backdoor, has an extensive set of commands and supports three different protocols for communicating with the command-and-control server," Russian cybersecurity company Kaspersky said . The initial infection vector relies on a booby-trapped LNK file, which employs DLL side-loading techniques to launch a malicious DLL file that uses Dropbox as a communications mechanism to execute reconnaissance commands and download add

Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as XDSpy . The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added. XDSpy is a threat actor of indeterminate origin that was first uncovered by the Belarusian Computer Emergency Response Team, CERT.BY, in February 2020. A subsequent analysis by ESET attributed the group to information-stealing attacks aimed at government agencies in Eastern Europe and the Balkans since 2011. Attack chains mounted by the adversary are known to leverage spear-phishing emails in order to infiltrate their targets with a main malware module known as XDDown that, in turn, drops additional plugins for gathering system information, enumerating C: drive, monitoring external drives, exfiltrating local files, and gathering passwords. Ove

A 22-year-old Russian national has been indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine and its allies in the days leading to Russia's full-blown military invasion of Ukraine in early 2022. Amin Timovich Stigal, the defendant in question, is assessed to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). He remains at large. If convicted, he faces a maximum penalty of five years in prison. Concurrent with the action, the U.S. Department of State's Rewards for Justice program is offering a reward of up to $10 million for information pertaining to his whereabouts or the malicious cyber attacks he is associated with. "The defendant conspired with Russian military intelligence on the eve of Russia's unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States,&quo

Microsoft has emphasized the need for securing internet-exposed operational technology (OT) devices following a spate of cyber attacks targeting such environments since late 2023. "These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets," the Microsoft Threat Intelligence team said . The company noted that a cyber attack on an OT system could allow malicious actors to tamper with critical parameters used in industrial processes, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human-machine interface (HMI), resulting in malfunctions and system outages. It further said that OT systems often lack adequate security mechanisms, making them ripe for exploitation by adversaries and carry out attacks that are "relatively easy to execute," a fact compounded by the additional risks introduced by direc

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021. This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA), as well as the Iranian nationals Alireza Shafie Nasab, Reza Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani. "These actors targeted more than a dozen U.S. companies and government entities through cyber operations, including spear-phishing and malware attacks," the Treasury Department  said . Concurrent with the sanctions, the U.S. Department of Justice (DoJ)  unsealed  an indictment against the four individuals for orchestrating cyber attacks targeting the U.S. government and private entities. Furthermore, a  reward of up to $10 million  has been an

The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years. The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).  The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as  APT31 , which is also known as Altaire,  Bronze Vinewood , Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been  active since at least 2010 . Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors no

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an "aggressive" campaign. Google-owned Mandiant is  tracking  the activity under its uncategorized moniker  UNC5174  (aka Uteus or Uetus), describing it as a "former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS) focused on executing access operations." The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug. Initial access to target environments is facilitated by t

The data wiping malware called  AcidPour  may have been deployed in attacks targeting four telecom providers in Ukraine, new findings from SentinelOne show. The cybersecurity firm also confirmed connections between the malware and AcidRain, tying it to threat activity clusters associated with Russian military intelligence. "AcidPour's expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions," security researchers Juan Andres Guerrero-Saade and Tom Hegel  said . AcidPour is a variant of  AcidRain , a wiper that was used to render Viasat KA-SAT modems operable at the onset of the Russo-Ukrainian war in early 2022 and cripple Ukraine's military communications. It also builds upon the latter's features, while targeting Linux systems running on x86 architecture. AcidRain, on the other hand, is compiled for MIPS architecture. Where AcidRain w

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sanctions against two 46-year-old Russian nationals and the respective companies they own for engaging in cyber influence operations. Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and current owner of Russia-based Company Group Structura LLC (Structura), have been accused of providing services to the Russian government in connection to a "foreign malign influence campaign." The disinformation campaign is tracked by the broader cybersecurity community under the name  Doppelganger , which is known to target audiences in Europe and the U.S. using inauthentic news sites and social media accounts. "SDA and Structura have been identified as key actors of the campaign, responsible for providing [the Government of the Russian Federation] with a variety of servic

A new variant of a data wiping malware called AcidRain has been detected in the wild that's specifically designed for targeting Linux x86 devices. The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne's Juan Andres Guerrero-Saade said in a series of posts on X. "The new variant [...] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it's a largely different codebase," Guerrero-Saade  noted . AcidRain  first came to light  in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat. An ELF binary compiled for MIPS architectures, it is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions. The cyber attack was  subsequently attributed  to Russia by the Five Eyes nations, along with Ukraine and the European Union. AcidPour, as the

The Russia-linked threat actor known as  APT28  has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. "The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force  said  in a report published last week. The tech company is tracking the activity under the moniker  ITG05 , which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028. The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing I