Russia-linked threat actors are using compromised networks of organizations in the UK, US, France, Brazil, and South Africa, including a Fortune 500 firm, and more than a dozen healthcare organizations, to launch cyberattacks against Ukraine, a recent report from cybersecurity company Lupovis revealed.

Since the start of the war, threat actors affiliated with the Russian government have been increasingly targeting Ukrainian organizations, as well as entities in the countries that support Ukraine, so the researchers decided to lure Russian hackers to collect threat intelligence on their tactics, techniques and procedures (TTPs) and the CVEs used.

They build the decoys that may be attractive to Russian adversaries in the form of the Ukraine-themed documents and websites, as well as high interaction and ssh services configured to accept the faux credentials from the web portals and report a critical attack if the full chain was followed.

The research team then leaked information and documents on telegram channels and hacking forums. According to the researchers, around 50–60 human actors interacted with just five decoys, with many of them reaching the honeypots within just a minute of them going live.

The hackers attempted to launch a variety of attacks, including the reconnaissance on the ‘lure information,’ targeted SQL injection, DDoS attacks, remote file inclusion, Docker exploitation, usage of leaked Ukrainian credentials, and use of known CVEs.

“Our study highlights the inner workings on Russian cybercriminals and just how embedded they are within organisations’ networks across the world. Decoys are an effective way to detect and protect against cyber adversaries. Through deceptive-based cyber tools and decoys, we can lure threat actors towards enticing targets and trick them into thinking they are reaching something of value. Through this reconnaissance, we can also understand how threat actors operate and how they share information across their peers,” Lupovis concluded.