#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Russian hackers | Breaking Cybersecurity News | The Hacker News

Category — Russian hackers
Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks

Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks

Aug 17, 2023 Cyber Espionage / Malware
An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors. The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called  Duke , which has been attributed to  APT29  (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes). "The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic," Dutch cybersecurity company EclecticIQ  said  in an analysis last week. The infection sequence is as follows: The PDF attachment, named "Farewell to Ambassador of Germany," comes embedded with JavaScript code that initiates a multi-stage process to leave a persistent backdoor on compromised networks. APT29's use of invitation themes has been previously reported by Lab52, which  doc
Turla's New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector

Turla's New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector

Jul 20, 2023 Cyber Attack / Malware
The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor called  DeliveryCheck  (aka CAPIBAR or GAMEDAY) that's capable of delivering next-stage payloads. The Microsoft threat intelligence team, in  collaboration  with the Computer Emergency Response Team of Ukraine (CERT-UA), attributed the attacks to a Russian nation-state actor known as  Turla , which is also tracked under the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. It's linked to Russia's Federal Security Service (FSB). "DeliveryCheck is distributed via email as documents with malicious macros," the company  said  in a series of tweets. "It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets." Successful initial access is also accompanied in some cases by t
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator

U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator

May 17, 2023 Cyber Crime / Ransomware
A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world. Mikhail Pavlovich Matveev  (aka  Wazawaka , m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of  LockBit ,  Babuk , and  Hive  ransomware variants since at least June 2020. "These victims include law enforcement and other government agencies, hospitals, and schools," DoJ  said . "Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million." LockBit, Babuk, and Hive operate alike, leveraging unlawfully obtained access to exfiltrate valuable data and deploy ransomware on compromised networks. The threat actor
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering

Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering

Apr 24, 2023 Cyber Espionage
The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal. "Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski  said  in an analysis published today. "The threat actor targets government and diplomatic entities in the CIS." The Russian cybersecurity firm's latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023. Tomiris first came to light in September 2021 when Kaspersky  highlighted  its potential connections to  Nobelium  (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack. Similarities have also been unearthed between the backdoor and another malware strain dubbed  Kazuar , which is attributed to the Turla group (aka Krypton, Secre
Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine

Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine

Apr 19, 2023 Cyber War / Cyber Attack
Elite hackers associated with  Russia's military intelligence service  have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google's Threat Analysis Group (TAG), which is  monitoring  the activities of the actor under the name  FROZENLAKE , said the  attacks   continue  the "group's 2022 focus on targeting webmail users in Eastern Europe." The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly prolific and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage. The latest intrusion set, starting in early February 2023, involved the use of reflected cross-site scripting ( XSS ) attacks on various Ukrainian government websites to redirect users to phishing domains and capture their credentials. The disclosure
Russia-Linked Hackers Launches Espionage Attacks on Foreign Diplomatic Entities

Russia-Linked Hackers Launches Espionage Attacks on Foreign Diplomatic Entities

Apr 14, 2023 United States
The Russia-linked  APT29  (aka Cozy Bear) threat actor has been attributed to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa. According to Poland's Military Counterintelligence Service and the CERT Polska team, the observed activity shares tactical overlaps with a cluster tracked by Microsoft as  Nobelium , which is known for its high-profile  attack on SolarWinds  in 2020. Nobelium's operations have been attributed to Russia's Foreign Intelligence Service ( SVR ), an organization that's tasked with protecting "individuals, society, and the state from foreign threats." That said, the campaign represents an evolution of the Kremlin-backed hacking group's tactics, indicating  persistent attempts  at improving its cyber weaponry to infiltrate victim systems for intelligence gathering. "New tools were used at the same time and independently of eac
Google Reveals Alarming Surge in Russian Cyber Attacks Against Ukraine

Google Reveals Alarming Surge in Russian Cyber Attacks Against Ukraine

Feb 20, 2023 Threat Analysis / Cyber Attack
Russia's cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google's Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report. The targeting, which  coincided  and has  since persisted  following the country's military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors. Mandiant  said  it observed, "more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion." As many as six unique wiper strains – including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete – have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access. Phishing attacks aimed at NATO countries witnessed a 3
CERT-UA Alerts Ukrainian State Authorities of Remcos Software-Fueled Cyber Attacks

CERT-UA Alerts Ukrainian State Authorities of Remcos Software-Fueled Cyber Attacks

Feb 08, 2023 Threat Intelligence / Cyber War
The Computer Emergency Response Team of Ukraine (CERT-UA) has  issued  an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos. The mass phishing campaign has been attributed to a threat actor it tracks as  UAC-0050 , with the agency describing the activity as likely motivated by espionage given the toolset employed. The bogus emails that kick-start the infection sequence claim to be from Ukrainian telecom company Ukrtelecom and come bearing a decoy RAR archive. Of the two files present in the file, one is a password-protected RAR archive that's over 600MB and the other is a text file containing the password to open the RAR file. Embedded within the second RAR archive is an executable that leads to the installation of the Remcos remote access software, granting the attacker full access to commandeer compromised computers. Remcos , short for remote control and surveillance software, is offered by B
Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Jan 08, 2023 Cyberespionage / Threat Analysis
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker  UNC4210 , said the hijacked servers correspond to a variant of a commodity malware called  ANDROMEDA  (aka Gamarue) that was uploaded to VirusTotal in 2013. "UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers  said  in an analysis published last week. Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. Since the onset of Russia's  milit
Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware

Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware

Dec 21, 2022 Cyber War / Cyber Attack
The Computer Emergency Response Team of Ukraine (CERT-UA) this week  disclosed  that users of the Delta situational awareness program received phishing emails from a compromised email account belonging to the Ministry of Defense. The attacks, which have been attributed to a threat cluster dubbed UAC-0142, aimed to infect systems with two pieces of data-stealing malware referred to as  FateGrab and StealDeal . Delta  is a cloud-based operational situation display system developed by Aerorozvidka that allows real-time monitoring of troops on the battlefield, making it a lucrative target for threat actors. The lure messages, which come with fake warnings to update root certificates in the Delta software, carry PDF documents containing links to archive files hosted on a fraudulent Delta domain, ultimately dropping the malware on compromised systems. While FateGrab is mainly designed to exfiltrate files with specific extensions through File Transfer Protocol ( FTP ), StealDeal single
Russian Hackers Targeted Petroleum Refinery in NATO Country During Ukraine War

Russian Hackers Targeted Petroleum Refinery in NATO Country During Ukraine War

Dec 20, 2022 Cyber War / Cyber Attack
The Russia-linked Gamaredon group attempted to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war. The attack, which took place on August 30, 2022, is just one of multiple intrusions orchestrated by the advanced persistent threat (APT) that's attributed to Russia's Federal Security Service ( FSB ). Gamaredon , also known by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a history of primarily going after Ukrainian entities and, to a lesser extent, NATO allies to harvest sensitive data. "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," Palo Alto Networks Unit 42  said  in a report shared with The Hacker News. "Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused AP
Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Dec 16, 2022 Cyber Espionage / Supply Chain Attack
Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities. Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It's tracking the threat cluster as  UNC4166 . "Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company  said  in a technical deep dive published Thursday. Although the adversarial collective's provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to  APT28 , a  Russian state-sponsored actor . The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of te
Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

Nov 26, 2022
Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group. Slovak cybersecurity company ESET, which dubbed the new ransomware strain  RansomBoggs , said the attacks against several Ukrainian entities were first detected on November 21, 2022. "While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm," the company  said  in a series of tweets Friday. The development comes as the Sandworm actor, tracked by Microsoft as Iridium, was implicated for a set of attacks aimed at transportation and logistics sectors in Ukraine and Poland with another ransomware strain called  Prestige  in October 2022. The RansomBoggs activity is said to employ a PowerShell script to distribute the ransomware, with the former "almost identical" to the one used in the  Industroyer2 malware  attacks that came to light in April. According to
Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

Nov 21, 2022
Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba , the company  said  last week. The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied. The development comes nearly a year after the tech giant  took down  the malware's command-and-control infrastructure and initiated legal proceedings against Dmitry Starovikov and Alexander Filippov , who are said to have been in charge of running the illegal botnet. The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads. Gluteba is distinguished from its botnet counterparts b
OldGremlin Ransomware Targeted Over a Dozen Russian Entities in Multi-Million Scheme

OldGremlin Ransomware Targeted Over a Dozen Russian Entities in Multi-Million Scheme

Oct 20, 2022
A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. "The group's victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB  said  in an exhaustive report shared with The Hacker News. "In 2020, the group even targeted an arms manufacturer." In what's a rarity in the ransomware landscape, OldGremlin (aka TinyScouts) is one of the very few financially motivated cybercrime gangs that primarily focuses on Russian companies. Other notable groups consist of Dharma, Crylock, and Thanos, contributing to an uptick in ransomware attacks targeting businesses in the country by over 200% in 2021. OldGremlin first came to light in September 2020 when the Singapore-headquartered cybersecurity company  disclosed  nine campaigns orch
Russian Hacker Arrested in India for Reportedly Helping Students Cheat in JEE-Main Exam

Russian Hacker Arrested in India for Reportedly Helping Students Cheat in JEE-Main Exam

Oct 04, 2022
India's Central Bureau of Investigation (CBI) on Monday disclosed that it has detained a Russian national for allegedly hacking into a software platform used to conduct engineering entrance assessments in the country in 2021. "The said accused was detained by the Bureau of Immigration at Indira Gandhi International Airport, Delhi while arriving in India from Almaty, Kazakhstan," the primary investigating agency  said  in a press release. The name of the individual was not disclosed by law enforcement authorities, but Indian news reports identified the person as  Mikhail Shargin . The CBI further said that Shargin's role was uncovered as part of its investigation into alleged irregularities committed in the Joint Entrance Examination ( JEE-Main ) conducted last year. JEE is a standardized test used for admissions to engineering colleges in India. The September 2021 incident, per the agency, involved breaking into iLeon software, the platform on which the exam was
Popular YouTube Channel Caught Distributing Malicious Tor Browser Installer

Popular YouTube Channel Caught Distributing Malicious Tor Browser Installer

Oct 04, 2022
A popular Chinese-language YouTube channel has emerged as a means to distribute a trojanized version of a Windows installer for the Tor Browser. Kaspersky  dubbed  the campaign  OnionPoison , with all of the victims located in China. The scale of the attack remains unclear, but the Russian cybersecurity company said it detected victims appearing in its telemetry in March 2022. The malicious version of the Tor Browser installer is being distributed via a link present in the description of a video that was uploaded to YouTube on January 9, 2022. It has been viewed over 64,500 times to date. Google has moved to pull the video from the social media platform for violating YouTube's Harmful and Dangerous policies. The channel that hosted the video has 181,000 subscribers and claims to be based in Hong Kong. The attack banks on the fact that the actual Tor Browser website is blocked in China, thus tricking unsuspecting users searching for "Tor浏览器" (i.e., Tor Browser in Ch
Expert Insights / Articles Videos
Cybersecurity Resources