| 1 MAR |
ESET |
IsaacWiper and HermeticWizard |
welivesecurity.com |
| 1 MAR |
Proofpoint |
Ukrainian armed service member's email compromised and sent malspam containing the SunSeed malware (likely TA445/UNC1151/Ghostwriter) |
proofpoint.com |
| 1 MAR |
Elastic |
HermeticWiper |
elastic.github.io |
| 1 MAR |
CrowdStrike |
PartyTicket (aka HermeticRansom), DriveSlayer (aka HermeticWiper) |
CrowdStrike |
| 2 MAR |
Zscaler |
DanaBot operators launch DDoS attacks against the Ukrainian Ministry of Defense |
zscaler.com |
| 2 MAR |
Infoblox |
Ukrainian Support Fraud |
blogs.infoblox.com |
| 2 MAR |
Trellix |
Digging into HermeticWiper |
trellix.com |
| 2 MAR |
Port Swigger |
Ukraine invasion: WordPress-hosted university websites hacked in ‘targeted attacks’ |
portswigger.net |
| 3 MAR |
@ShadowChasing1 |
Gamaredon/Shuckworm/PrimitiveBear (FSB) |
twitter.com/ShadowChasing1 |
| 3 MAR |
@vxunderground |
News website in Poland was reportedly compromised and the threat actor uploaded anti-Ukrainian propaganda |
twitter.com/vxunderground |
| 3 MAR |
@kylaintheburgh |
Russian botnet on Twitter is pushing "#istandwithputin" and "#istandwithrussia" propaganda (in English) |
twitter.com/kylaintheburgh |
| 3 MAR |
@tracerspiff |
UNC1151/Ghostwriter (Belarus MoD) |
twitter.com |
| 3 MAR |
Trustwave |
Gorenie Fundraising Email Scams |
trustwave.com |
| 3 MAR |
Trend Micro |
Prominent Cyber Attacks in Russia-Ukraine Conflict |
trendmicro.com |
| 3 MAR |
U.S. DoT |
Press Releases: Treasury Sanctions Russians Bankrolling Putin and Russia-Backed Influence Actors |
treasury.gov |
| 3 MAR |
Microsoft MSTIC |
DEV-0586 (aka WhisperGate), DEV-0665 (aka FoxBlade/HermeticWizard/HermeticWiper), SonicVote (aka HermeticRansom & PartyTicket), Lasainraw (aka IsaacWiper) |
twitter.com/MalwareRE |
| 4 MAR |
Interfax |
CERT-UA warns about mass mailings of malicious software |
interfax.com.ua |
| 4 MAR |
eln0ty |
HermeticWiper/FoxBlade Analysis (in-depth) |
eln0ty.github.io |
| 4 MAR |
Mandiant |
Sandworm, UNC2589 (aka Lorec53/UAC-0056/EmberBear), UNC3715 (aka DEV-0665/HermeticWiper), and potentially TEMP.Isotope (aka BerserkBear/EnergeticBear/Dragonfly) |
mandiant.com |
| 5 MAR |
SSSCIP Ukraine |
Russian DDos attacks (100 Gbps at their peak) primarily aimed at the resources of Verkhovna Rada, Cabinet of Ministers, President of Ukraine, Defense Ministry and Internal Affairs Ministry |
twitter.com/dsszzi |
| 6 MAR |
@shakirov2036 |
Notice Russian Government Websites To move to domestic hosting thread |
twitter.com/shakirov2036 |
| 7 MAR |
ReverseMode |
SATCOM terminals under attack in Europe: plausible analysis |
reversemode.com |
| 7 MAR |
Google TAG |
FancyBear (aka APT28) targeted users of UkrNet (a Ukrainian media company), Ghostwriter (aka UNC1151), Mustang Panda (aka Temp.Hex), DDoS attacks |
blog.google |
| 7 MAR |
CERT-UA |
UAC-0051 (aka UNC1151), MicroBackdoor, CVE-2019-0541 |
cert.gov.ua |
| 8 MAR |
Cluster25 |
UNC1151/Ghostwriter (Belarus MoD) |
cluster25.io |
| 8 MAR |
Trend Micro |
RURansom - a data wiper targeting Russian organizations |
trendmicro.com |
| 9 MAR |
ReversingLabs |
HermeticWiper and IsaacWiper |
blog.reversinglabs.com |
| 11 MAR |
CERT-UA |
UAC-0056 (aka Lorec53, EmberBear) push fake antivirus updates containing Cobalt Strike Beacons, GrimImplant, and GraphSteel malspam against state authorities of Ukraine |
cert.gov.ua |
| 11 MAR |
Infosec Magazine |
pro-Ukrainian actors should be wary of downloading DDoS tools to attack Russia, as they may be booby-trapped with info-stealing malware |
infosecurity-magazine.com |
| 11 MAR |
@cyberknow20 |
"Xahnet" shared a video they allegedly left a message and defaced the main page of Ukraine's capital bank [unvalidated] |
twitter.com/cyberknow20 |
| 13 MAR |
Spiegel |
German Anonymous hacktivists target Rosneft Germany, allegedly stole 20TB of data, deleted 59 Apple devices remotely, and left "Slava Ukraini" on wiped systems |
spiegel.de |
| 13 MAR |
BeeHive |
Twitter user "BeeHive" allegedly exploited a vulnerability in the open-source ADS-B radar reporting feeds and digital transponders to manipulate Russian airlines, causing Aeroflot planes to erroneously squawk "7700" (for emergencies) and display anti-Russian callsigns on flight radars |
twitter.com/BeeHiveCyberSec |
| 14 MAR |
Cisco Talos |
Opportunistic cybercriminals take advantage of Ukraine invasion |
blog.talosintelligence.com |
| 14 MAR |
ESET |
Another wiper was discovered targeting Ukraine, dubbed CaddyWiper, which was delivered via GPO, indicating the adversary had prior control of the target's network beforehand. CaddyWiper is seeminginly not connected to other the wipers targeting Ukraine, including Whispergate, HermeticWiper, or IsaacWiper |
twitter.com/ESETresearch |
| 15 MAR |
VICE |
The Security Service of Ukraine (SBU) detained a “hacker” who provided assistance to Russian troops in Ukraine by routing phone calls on their behalf, and sent text messages to Ukrainian security forces suggesting they surrender |
vice.com |
| 15 MAR |
SentinelOne |
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software |
sentinelone.com/blog |
| 16 MAR |
CERT-UA |
QR code phishing posing as UKR.NET linked to UAC-0028 group (APT28/FancyBear/GRU) |
cert.gov.ua |
| 17 MAR |
CERT-UA |
UAC-0020 (Vermin) cyberattack on Ukrainian state organizations using the SPECTR malware, whose activities are associated with the so-called security agencies of the so-called "Luhansk People's Republic" |
cert.gov.ua |
| 18 MAR |
CERT-UA |
UAC-0035 (InvisiMole) cyberattack on State Organizations of Ukraine |
cert.gov.ua |
| 22 MAR |
CERT-UA |
UAC-0088 deploys DoubleZero wiper |
cert.gov.ua |
| 22 MAR |
CERT-UA |
UAC-0026 cyberattack using HeaderTip malware, linked to Scarab APT |
cert.gov.ua |
| 23 MAR |
Interfax UA |
Datagroup, a provider of fiber-optic infrastructure and digital services, resolved more than 350 DDoS attacks on the country's telecommunications network during the month of the war. The largest attack was 103.6 Gbps, 28.0 Mpps; the most powerful attack was 27.6 Gbps, 43.0 Mpps; the longest attack was 24 days. |
interfax.com.ua |
| 23 MAR |
BalkanInsight |
Croatian police are probing the hacking of the ‘Slobodna Dalmacija’ website, where hackers replaced content with pro-Russian articles on Ukraine. “Western Deception Machine”, “Which Side Are You On?”, and “The United States of America Admitted They Have Hidden Laboratories in Ukraine”, are just some of the fake articles that the hackers posted online. |
balkaninsight.com |
| 23 MAR |
CERT-UA |
UAC-0051 group (UNC1151/GhostWriter), Cobalt Strike Beacons |
cert.gov.ua |
| 24 MAR |
SentinelOne |
Ukraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is associated with the suspected Chinese threat actor known as Scarab. Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip. |
sentinelone.com |
| 24 MAR |
Lab52 |
Quasar RAT spear-phishing campaign |
lab52.io |
| 25 MAR |
SSSCIP Ukraine |
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 |
cip.gov.ua |
| 25 MAR |
SSSCIP Ukraine |
Statistics of Cyber Attacks on Ukrainian Critical Information Infrastructure: 15-22 March |
cip.gov.ua |
| 26 MAR |
@n0p |
Analysis of a Caddy Wiper Sample |
n0p.me |
| 28 MAR |
CERT-UA |
Cyberattack on Ukrainian state authorities using pseudoSteel malware linked to UAC-0010 (Armageddon/Gamaredon) |
cert.gov.ua |
| 28 MAR |
Cyber, etc |
Ukraine's largest fix-line telecommunications operator hit by cyber attack |
Cyber, etc |
| 28 MAR |
SSSCIP Ukraine |
Cyberattack against Ukrtelecom IT-infrastructure and recovery |
twitter.com/ dsszzi |
| 28 MAR |
CERT-UA |
GraphSteel and GrimPlant, UAC-0056 |
cert.gov.ua |
| 29 MAR |
Newsweek |
U.S. Airport hit with Cyberattack over Ukraine |
Newsweek |
| 29 MAR |
ZDnet |
The Security Service of Ukraine (SBU) has destroyed five "enemy" bot farms engaged in activities to frighten Ukrainian citizens. In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia's invasion of Ukraine |
zdnet.com |
| 30 MAR |
Viasat |
Viasat is providing an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT's consumer-oriented satellite broadband service. |
viasat.com |
| 30 MAR |
CrowdStrike |
EMBER BEAR (aka UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) |
crowdstrike.com |
| 30 MAR |
CERT-UA |
MarsStealer, UAC-0041 |
cert.gov.ua |
| 30 MAR |
Google TAG |
Curious Gorge (APT from China), COLDRIVER (APT from Russia), Ghostwriter (APT from Belarus) |
blog.google |
| 30 MAR |
Viasat |
KA-SAT Network cyber attack overview |
viasat.com |
| 30 MAR |
InQuest |
CloudAtlas APT group linked to a maldoc impersonating the United States Securities and Exchange Commission |
inquest.net |
| 31 MAR |
ReverseMode |
VIASAT incident: from speculation to technical details |
reversemode.com |
| 31 MAR |
SentinelLabs |
AcidRain IoT Wiper (ELF MIPS), connected to the VPNFilter stage 3 destructive plugin |
sentinelone.com |