TeqGo.com
No Result
View All Result
No Result
View All Result
TeqGo.com
No Result
View All Result
Home Computer

Microsoft links Russia’s military to cyberattacks in Poland and Ukraine

Staff by Staff
November 11, 2022
in Computer
0
Microsoft links Russia’s military to cyberattacks in Poland and Ukraine
467
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Getty Images

Microsoft on Thursday fingered Russia’s military intelligence arm as the likely culprit behind ransomware attacks last month that targeted Polish and Ukrainian transportation and logistics organizations.

If the assessment by members of the Microsoft Security Threat Intelligence Center (MSTIC) is correct, it could be cause for concern for the US government and its European counterparts. Poland is a member of NATO and a staunch supporter of Ukraine in its bid to stave off an unprovoked Russian invasion. The hacking group the software company linked to the cyberattacks—known as Sandworm in wider research circles and Iridium in Redmond, Washington—is one of the world’s most talented and destructive and is widely believed to be backed by Russia’s GRU military intelligence agency.

Sandworm has been definitively linked to the NotPetya wiper attacks of 2017, a global outbreak that a White House assessment said caused $10 billion in damages, making it the most costly hack in history. Sandworm has also been definitively tied to hacks on Ukraine’s power grid that caused widespread outages during the coldest months of 2016 and again in 2017.

Enter Prestige

Last month, Microsoft said that Poland and Ukraine transportation and logistics organizations had been the target of cyberattacks that used never-before-seen ransomware that announced itself as Prestige. The threat actors, Microsoft said, had already gained control over the victim networks. Then in a single hour on October 11, the hackers deployed Prestige across all its victims.

Once in place, the ransomware traversed all files on the infected computer’s system and encrypted the contents of files that ended in .txt, .png, gpg, and more than 200 other extensions. Prestige then appended the extension .enc to the existing extension of the file. Microsoft attributed the attack to an unknown threat group it dubbed DEV-0960.

On Thursday, Microsoft updated the report to say that based on forensic artifacts and overlaps in victimology, tradecraft, capabilities, and infrastructure, researchers determined DEV-0960 was very likely Iridium.

Advertisement

“The Prestige campaign may highlight a measured shift in Iridium’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” MSTIC members wrote. “More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”

Thursday’s update went on to say that the Prestige campaign is distinct from destructive attacks in the past two weeks that used malware tracked as AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) to target multiple critical infrastructures in Ukraine. While the researchers said they still don’t know what threat group is behind those acts, they now have enough evidence to finger Iridium as the group behind the Prestige attacks. Microsoft is in the process of notifying customers who have been “impacted by Iridium but not yet ransomed,” they wrote.

Underscoring the sophistication of the attacks, Iridium members used multiple methods for deploying Prestige on the targeted networks. They included:

Windows scheduled tasks

Microsoft

encoded PowerShell commands, and

Microsoft

Default Domain Group Policy Objects

Microsoft

“Most ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and this tradecraft tends to be consistent across victims, unless a security configuration prevents their preferred method,” MSTIC members explained. “For this Iridium activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour.”

The post contains technical indicators that can help people figure out if they have been targeted.

Go to discussion…



Source link

Previous Post

Amazon’s New Robot Sparrow Can Handle Most Items in the Everything Store

Next Post

The HoloKit X AR Headset Leverages Your iPhone, Other Apple Devices

Next Post
The HoloKit X AR Headset Leverages Your iPhone, Other Apple Devices

The HoloKit X AR Headset Leverages Your iPhone, Other Apple Devices

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

The Top New Android 13 Features and How to Install It

The Top New Android 13 Features and How to Install It

August 15, 2022
Ingenuity Helicopter Marks 30 Flights on Mars

Ingenuity Mars Helicopter Reaches Record Altitude on 35th Flight

December 8, 2022

Trending.

What happened to Andrew Humphrey on Channel 4 weather?

August 24, 2022

Who is the new weather man on Channel 4 Detroit?

August 24, 2022

Why is Ben Bailey leaving WDIV?

August 24, 2022

What is a 100000 year period called?

August 23, 2022

Who recently left WDIV?

August 24, 2022
  • About us
  • Contact Us
  • Home
  • Privacy Policy and Disclaimer

© 2021-2023 Teqgo.com

No Result
View All Result
  • About us
  • Contact Us
  • Home
  • Privacy Policy and Disclaimer

© 2021-2023 Teqgo.com