Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Russian Hackers Target Ukraine With Malicious EncryptionFrom Russia with Love Group Boasted of Removing Decryptor from Somnia Ransomware
Hackers operating in Russia successfully implanted downloads of network scanning software with an info stealer to spy on organizations in Ukraine and ultimately disrupt their operations through malicious encryption of data.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Ukraine's Computer Emergency Response Team on Friday attributed a spate of attacks to a group known as From Russia with Love, also known as Z-Team. The letter "Z" has become a militarist symbol of support for Russia's invasion of Ukraine. CERT-UA tracks the group as UAC-0118.
The pattern of attack identified by CERT-UA is for initial access brokers to gain a toehold on targeted systems by embedding the Vidar info stealer into the download from websites masquerading as the website of Advanced IP Scanner - software for identifying devices on a local network.
Post-infection, From Russia with Love takes over with the end goal of introducing Somnia ransomware. But unlike most ransomware groups, it does so without the possibility of a decryptor and therefore permanently locks victims from accessing their files. The ransomware gets its name from the
.somnia extension it adds to encrypted files.
The From Russia with Love Telegram site in August boasted of removing the decryption function in a post that included "Zelensky devil" as a justification for the infections. Ukrainian President Volodymyr Zelenskyy on Monday visited the Ukrainian city of Kherson hours after telling the country that investigators had documented more than 400 war crimes during its Russian occupation.
CERT-UA says Vidar steals, among other things, Telegram session data allowing hackers to log on to the social media service, assuming that account holders haven't configured two-factor authentication. Hackers used Telegram to transfer VPN connection configuration files - again allowing hackers to reestablish the VPN connection in the absence of a multifactor authentication requirement.
Having gained access to an organization's computer network, Russian hackers conducted reconnaissance, established permanence through a Cobalt Strike Beacon and exfiltrated data.