Sandworm group – WindowsTechs.com

Why one researcher mimicked Russian hackers in breaking into a European utility

Posted on January 23, 2020 by Sean Lyngaas

Jason Larsen was tired of hearing about the skills of Russian-linked hackers, particularly those who cut power in parts of Ukraine in 2015 and 2016. These were groundbreaking and worrying attacks, he thought to himself, but giving the attackers too much credit makes defending against them more complicated than it needs to be. So Larsen, a researcher at cybersecurity company IOActive, broke into the substation network of a European electric utility using one of the Russian hackers’ techniques. The first segment of the attack — gaining root access on some firmware— took him 14 hours. He took notes by the hour and shared them with the distribution utility, one of his clients, to improve their defenses. “We’ve embodied them with all of these god-like abilities,” Larsen said of Sandworm, the group said to be responsible for the attacks and which many believe to work on behalf of Russia’s military intelligence agency. The group turned the lights […]

The post Why one researcher mimicked Russian hackers in breaking into a European utility appeared first on CyberScoop.

Continue reading Why one researcher mimicked Russian hackers in breaking into a European utility→

Russian-linked VPNFilter malware is even worse than originally thought, new research suggests

Posted on June 6, 2018 by Chris Bing

A malware framework that’s already infected hundreds of thousands of routers across the globe appears to be even more dangerous than originally thought, according to new findings by Cisco’s internal cybersecurity unit Talos. The latest results show that the malware, “VPNFilter,” affects a wider array of devices, including more than 11 different hardware vendors, and carries several previously unknown infection capabilities, such as the potential to manipulate internet traffic on the end device in novel ways. The Talos researchers revealed the additional analysis Wednesday after having first publicly documented the botnet last week. A significant percentage of the devices infected through VPNFilter are based in Ukraine, leading domestic security services to claim that the malware symbolized a national security threat. Broadly speaking, VPNFilter works by traversing the web and automatically targeting unpatched routers and servers that carry outdated software. The term “botnet” is used to describe an army of zombie computers […]

The post Russian-linked VPNFilter malware is even worse than originally thought, new research suggests appeared first on Cyberscoop.

Continue reading Russian-linked VPNFilter malware is even worse than originally thought, new research suggests→

Global ransomware attacks tiptoed around Russian anti-virus products

Posted on October 30, 2017 by Chris Bing

Those responsible for two of the largest ransomware attacks of 2017 designed their malware to carefully handle computers with Russian anti-virus products installed, security researchers have told CyberScoop. For the third time in less than six months, a ransomware-style cyberattack spread across Eastern Europe in a matter of hours. The attack, dubbed “BadRabbit,” infected computers inside Ukrainian and Russian government agencies, Ukrainian transportations facilities and Russian news outlets among other targets; causing a disruption in normal business operations that continues for some until today. Although most of BadRabbit’s impact occurred in Russia, there’s evidence that the malware compromised organizations in several countries other than Ukraine, including Japan and Turkey. The virus, when successfully installed, will encrypt files and then request a payment in the form of Bitcoin from victims in order to unlock their systems. Experts say there’s likely more to the story than a simple ransom collection. An investigation into […]

The post Global ransomware attacks tiptoed around Russian anti-virus products appeared first on Cyberscoop.

Continue reading Global ransomware attacks tiptoed around Russian anti-virus products→

Early evidence suggests ties between Russian hackers and ‘BadRabbit’ attack

Posted on October 25, 2017 by Chris Bing

A software toolkit used in an expansive cyberattack that affected hundreds of organizations across Eastern Europe Tuesday has been linked to a hacking group known as BlackEnergy APT or Telebots, security researchers tell CyberScoop. This threat actor was also responsible for a similar attack dubbed “NotPetya” which largely affected Ukraine and was designed to wipe data from computers rather than collect ransoms when it was executed in June. Experts say BlackEnergy APT acts in the interests of the Kremlin. In the past, the group has repeatedly attacked Ukrainian organizations, including the country’s critical infrastructure sector. The latest variant of ransomware flooding across Europe is named “BadRabbit.” It requires that victims infected with the malware send bitcoin to an anonymous digital wallet in order to unlock their systems — until payment is received, affected computers remain largely unusable. “It appears that the two [ransomware] attacks are connected,” said Costin Raiu, director of the Global Research […]

The post Early evidence suggests ties between Russian hackers and ‘BadRabbit’ attack appeared first on Cyberscoop.

Continue reading Early evidence suggests ties between Russian hackers and ‘BadRabbit’ attack→

Maersk may lose up to $300M due to NotPetya attack

Posted on August 17, 2017 by Chris Bing

The world’s largest container shipping company, A.P. Moller-Maersk, has said that it expects as much as a $300 million dip in profits due to a June 27 ransomware incident, the firm noted in a public report released Wednesday. Maersk executives said they expected losses of between $200 million and $300 million — which will be reflected in the next earnings report — because of a “significant business interruption” caused by the spread of a ransomware variant known as NotPetya inside corporate networks. The disclosure was attached to Maersk’s second-quarter earnings report. Public companies are required to publicly update their investors on the state of the business once every fiscal quarter. While NotPetya was engineered to look like ordinary ransomware, the virus held hidden code that would delete files on an infected computer. Ransomware is not typically designed to be destructive. In most cases, ransomware operators hope to encrypt files on […]

The post Maersk may lose up to $300M due to NotPetya attack appeared first on Cyberscoop.

Continue reading Maersk may lose up to $300M due to NotPetya attack→

‘Patient zero’ of global ransomware incident was warned and owned before outbreak

Posted on July 5, 2017 by Chris Bing

A Ukrainian software company at the center of an international ransomware outbreak was reportedly warned about its insufficient digital security multiple times, and new evidence shows it had been compromised by hackers before last week’s incident. M.E.Doc, a Ukrainian software firm that develops accounting software that is mandated by the country’s government, is widely considered to be the “patient zero” behind ExPetr, a unique ransomware variant that first appeared on June 27 with the capability of spreading quickly across local networks and deleting data. Cybersecurity researchers with Czech security firm ESET published evidence Tuesday that hackers were able to successfully penetrate M.E.Doc in the months preceding the major attack and had installed a series of backdoors. These implants would allow a hacker to remotely execute numerous commands and upload other malicious code. Such a backdoor may have been originally leveraged to launch ExPetr. It’s also possible that the attacker had […]

The post ‘Patient zero’ of global ransomware incident was warned and owned before outbreak appeared first on Cyberscoop.

Continue reading ‘Patient zero’ of global ransomware incident was warned and owned before outbreak→

Early indications point to Sandworm hacking group for global ransomware attack

Posted on June 30, 2017 by Chris Bing

The main suspect behind the recent global ransomware attack is a hacking group with suspected ties to Russia and a history of launching destructive computer viruses, according to research conducted by Czech cybersecurity firm ESET. The company has pegged the attack to a group known as Telebots or Sandworm. “The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spearphishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack,” writes Anton Cherepanov, a senior malware researcher with ESET, in a blog post. “The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities.” While the spread of so-called PetrWrap or NotPetya turned into global news as thousands of computers were locked down by the virus, the incident plays into a larger and already established narrative of hackers repeatedly using wiper malware and defunct ransomware, […]

The post Early indications point to Sandworm hacking group for global ransomware attack appeared first on Cyberscoop.

Continue reading Early indications point to Sandworm hacking group for global ransomware attack→

Early indications point to Sandworm hacking group for global ransomware attack

Posted on June 30, 2017 by Chris Bing

The post Early indications point to Sandworm hacking group for global ransomware attack appeared first on Cyberscoop.

Continue reading Early indications point to Sandworm hacking group for global ransomware attack→

Researchers find cyberweapon capable of knocking out electric grids

Posted on June 12, 2017 by Chris Bing

A newly discovered malware framework, which some believe carries signs of Russian authorship, can be used by hackers to disrupt industrial control systems and cause mass power outages, according to research conducted by cybersecurity firms Dragos Inc. and ESET. The findings are significant because they represent the first known real-world case of a computer virus designed to directly interact with electric grid hardware, explained Sergio Caltagirone, director of threat intelligence for Dragos. Researchers believe that a version of the malware framework, dubbed “CrashOverride” or “Industroyer,” was previously leveraged to hack into an electric transmission station in Ukraine causing a black out for several hours last December in neighborhoods just north of Kiev. Evidence of a connection between CrashOverride’s author and the attackers behind last year’s Ukrainian power grid incident exists, according to Caltagirone, but was not published in Dragos’ technical analysis. In January, iSight Partners, a subsidiary of U.S. cybersecurity […]

The post Researchers find cyberweapon capable of knocking out electric grids appeared first on Cyberscoop.

Continue reading Researchers find cyberweapon capable of knocking out electric grids→