Key Intelligence Signals:
A new Threat Actor named UAC-0050 aka UAC-0096 attacked the Ukrainian government.
Summary:
Ukrainian CERT detected a new threat actor targeting the Ukrainian government. The threat actor disguised as Pechersk District Court of the city of Kyiv with the subject “Pechersk District Court of the City of Kyiv” and an attachment of .RAR file. The .RAR archive contained a text document with the name “access code 3527 .txt” and a password protected RAR archive “electronic court request No. 7836071.rar”, which contained an executable file “electronic court request No. 7836071.pdf.exe” with a size of 688MB with a forged digital signature. The executable file is a stub built by Remcos remote administration tool. Upon executing the malicious .exe file the threat actor will gain full access to the victim’s machine and let the attacker surveillance in the victim’s machine.
Insights:
It’s been a year since the war between Russia and Ukraine broke out. The first stage of the attack was a cyber-attack on Ukraine by Russian state-sponsored hacking groups. The attack led to the disruption of various strategic assets. Till today the attack on delicate institutions and assets hasn’t stopped.
The US Cybersecurity and Infrastructure Security Agency (CISA) advised all organizations to stay alert for renewed, more intense Russian cyberattacks as the war Russia wages against Ukraine enters its second year. According to the organization’s press release, CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord around the anniversary of Russia’s 2022 invasion of Ukraine. The agency urged organizations and individuals to increase their cyber vigilance in response to this potential threat and drew particular attention to the threat of DDoS Attacks.
The European Union Agency for Cybersecurity (ENISA) and the EU Computer Emergency Response Team (CERT-EU) warned that several Chinese state-sponsored hacking groups are targeting businesses and government organizations in the EU. The joint advisory said that the threat actors were observed conducting malicious cyber activities against businesses and governments in the Union. The Chinese APTs that were named in the report include Emissary Panda, APT 30, Zirconium, Mirage, Gallium, and Mustang Panda. The two cyber agencies stated that the attackers frequently used the invasion of Ukraine and its effect on EU businesses as a hook in phishing attempts. The joint statement called for European organizations to focus on increasing access controls, hardening software products and highly privileged accounts, and using highly secure passwords and multi-factor authentication on all accounts. The advisory comes a week after the FBI warned U.S. secretaries of state about the growing threat of Chinese hacking operations against state government networks.
Moscow plans to roll out a new internet surveillance system, dubbed Vepr, the Russian word for boar, later this year, according to the state media outlet TASS. Roskomnadzor, the Russian telecommunications regulator, has been working on the system since early 2022. Analysts post that the Russian government is increasingly trying to insulate its citizens from the free distribution of information, which could put its hazardous foreign policies and domestic repression in the wrong light, thus trying to recreate the totalitarian state monopoly on the distribution of information in the country as in the times of the Soviet Union.
While the government claims the system will not be used to take down content, but only to act as an early-warning system for mass social events, the inspiration in the Chinese censorship model is apparent. The Kremlin has ramped up its automated online censorship programs since the invasion of Ukraine in February 2022, and earlier this month launched the Oculus surveillance system, designed to scan images and text on the internet to search for dissenting users.
CYFIRMA Research team observed that American TV giant and satellite broadcast provider; Dish Network has mysteriously gone offline, with its websites and apps ceasing to function, due to a ransomware attack.
Source: Telegram
The Team also observed a potential data leak related to www[.]pajak[.]go[.]id – The Directorate General of Taxes (Indonesian: Direktorat Jenderal Pajak; also known as DJP) is an Indonesian government agency under the Ministry of Finance, which has the task of formulating and implementing taxation policies and technical standardization in the field of taxation. This data leak contains 34 files on 66 MB of compressed data.
Source: Underground Forums