Microsoft links Russia’s military to cyberattacks in Poland and Ukraine

Microsoft believes that Russia's military intelligence arm was behind the attacks on Polish and Ukrainian organizations.

It could be cause for concern for the US government if the assessment is correct. Poland is a member of NATO and a strong supporter of Ukraine. One of the world's most talented and destructive hacking groups is believed to be backed by the Russian military intelligence agency.

Sandworm has been definitively linked to the NotPetya wiper attacks of 2017, a global outbreak that a White House assessment said caused $10 billion in damages, making it the most costly hack in history. Sandworm has also been definitively tied to hacks on Ukraine’s power grid that caused widespread outages during the coldest months of 2016 and again in 2017.

Enter Prestige

Microsoft said last month that Poland and Ukraine transportation and logistics organizations had been the targets of cyberattacks. Microsoft said that the threat actors had already taken control of the networks. On October 11th, the hackers deployed Prestige across all of its victims.

The contents of files that ended in.txt,.png, GPg, and more than 200 other extensions were protected by the Ransomware once it was installed on the computer. The extension.enc was appended to the file. The attack was attributed to a group called DEV-0960.

Researchers at Microsoft determined that DEV-0960 was very likely Iridium based on forensic artifacts and overlaps in capabilities.

Advertisement

According to MSTIC members, the Prestige campaign may show a shift in Iridium's destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukranian. It may increase the risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support to the war.

According to Thursday's update, the Prestige campaign is distinct from destructive attacks in the past two weeks that used malicious software to target multiple critical infrastructures in Ukranian. The researchers said they still don't know what group is behind those acts, but they now have enough evidence to link the group to the attacks. Microsoft is in the process of notifying customers who have been impacted by Iridium but are not currently being held hostage.

The sophistication of the attacks was underscored by the use of multiple methods for deployment. They were also included.

There are scheduled tasks for windows.

Is it possible to decode PowerShell commands.

The domain group policy objects are default.

Unless a security configuration prevents their preferred method, most ransomware operators develop a preferred set of tradecraft. The security configurations that prevented the attacker from using the same techniques did not appear to be a factor in the deployment of the Iridium activity. The deployment of the ransomware happened within an hour.

Technical indicators can help people figure out if they have been targeted.

You should go to discussion.