7 December 2022

Russian hackers use western networks to attack Ukraine


Russian hackers use western networks to attack Ukraine

Russia-linked threat actors are using compromised networks of organizations in the UK, US, France, Brazil, and South Africa, including a Fortune 500 firm, and more than a dozen healthcare organizations, to launch cyberattacks against Ukraine, a recent report from cybersecurity company Lupovis revealed.

Since the start of the war, threat actors affiliated with the Russian government have been increasingly targeting Ukrainian organizations, as well as entities in the countries that support Ukraine, so the researchers decided to lure Russian hackers to collect threat intelligence on their tactics, techniques and procedures (TTPs) and the CVEs used.

They build the decoys that may be attractive to Russian adversaries in the form of the Ukraine-themed documents and websites, as well as high interaction and ssh services configured to accept the faux credentials from the web portals and report a critical attack if the full chain was followed.

The research team then leaked information and documents on telegram channels and hacking forums. According to the researchers, around 50–60 human actors interacted with just five decoys, with many of them reaching the honeypots within just a minute of them going live.

The hackers attempted to launch a variety of attacks, including the reconnaissance on the ‘lure information,’ targeted SQL injection, DDoS attacks, remote file inclusion, Docker exploitation, usage of leaked Ukrainian credentials, and use of known CVEs.

“Our study highlights the inner workings on Russian cybercriminals and just how embedded they are within organisations’ networks across the world. Decoys are an effective way to detect and protect against cyber adversaries. Through deceptive-based cyber tools and decoys, we can lure threat actors towards enticing targets and trick them into thinking they are reaching something of value. Through this reconnaissance, we can also understand how threat actors operate and how they share information across their peers,” Lupovis concluded.


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023