Cyber attacks by UAC-0010 (Armageddon) using the malware GammaLoad.PS1_v2 (CERT-UA # 4634,4648)
The government team for responding to computer emergencies in Ukraine CERT-UA received information about the fact of sending e-mails on «On revenge in Kherson!», Containing attachments in the form of a file «Plan Kherson.htm». The HTM-file will decode and create on the victim’s computer the file «Herson.rar», which contains the file-shortcut «Plan of approach and planting explosives on the objects of critical infrastructure of Kherson.lnk». The mentioned LNK-file in case of its opening will provide loading and start of the HTA-file «precarious.xml» that will lead to creation and execution of files «desktop.txt» and «user.txt». As a result, the malicious program GammaLoad.PS1_v2 will be downloaded to the computer (the mechanism of taking a screenshot and sending it to the management server has been implemented). The activity is carried out by the group UAC-0010 (Armageddon) [1].
Ukrtelecom, together with its American partner, repulsed another cyber attack
The Security Operation Center team of JSC Ukrtelecom together with a partner from the USA leveled the impact and repulsed another DDOS attack on the company’s information resources. During the cyberattack, which lasted a day and a half from the night of May 10, the operator’s specialists recorded a load of up to 1 million packets per second. Due to the attack, access to the company’s website was restricted for some time for security reasons. It was noted that during the cyber attack, Ukrtelecom’s SOC specialists found out that most of the attacking IPs (about 85%) were located within Ukraine. Given the parameters of the cyber attack, when «cut off from the world» was not enough, the IT department decided to use the help of a partner from the United States. Thanks to the involvement of the cloud infrastructure of Ukrtelecom’s partner, it was possible to move information resources beyond the perimeter of the attack. The transfer of resources was performed professionally and in the shortest possible time, which in an hour allowed the gradual restoration of access to the company’s web resources. Subsequent attempts by criminals to carry out another DDOS attack had no effect on the company’s resources [2].
Fraudsters are sending a fake chatbot of E-support, referring to the Center for Countering Disinformation at the National Security and Defense Council of Ukraine
The JRS warns that misinformation with the following text is spreading on the Internet: «ATTENTION! The Center for Combating Disinformation at the National Security and Defense Council of Ukraine explains in which areas, according to the Government’s decision, IDPs can receive state aid». The following is a link to a simulated chatbot that leads to the fake page of PrivatBank. The JRS emphasizes that in all its reports on payments, the Center did not provide a reference to any chatbots, emphasizing that payments will be made only through the «Action» application. In turn, «Action» does not have Telegram-bots «Epitrumka_bot» [3].
In the «first world cyber war» russia has no allies at all – expert
Today, everyone is fighting against russia and everyone is gathering information about russia. On the cyber front, the whole world is now at war with russia, a ratio of 99 to 1. Moscow has no allies at all. This was stated by cybersecurity expert Nikita Knysh on the air of the All-Ukrainian Information Telemarathon. «Not all activists are concentrated in Ukraine, and they work from all over the world. I want to emphasize that in russia hackers are mostly security officers, ie they are run by the GRU, FSB, Office «K» of the Ministry of Internal Affairs, Group IS,… and they are not volunteers, ie people who in uniform systematically serve in Russian army. And the whole world of activists, the same Anonymous, «Mother’s Hackers», No name, is now «breaking the russian Federation… In the russian Federation, as I said, today is a «Death match», ie a game of destruction,» «You can break everything!» — said the expert [4].
Kremlin hackers are creating fake Twitter profiles to support dictatorial policies
Only the popular Twitter has so far revealed a huge number of fake accounts, which, to put it mildly, approve of the russian president. In particular, according to the BBC, hashtags such as #IStandWithputin and #IStandWithrussia («I’m with putin» and «I’m with russia») were actively used on Twitter during March-April. These and other hashtags have quickly reached the top in some developing countries, and where people are not particularly familiar with the use of modern technology. This is skillfully used by russian cyber warriors and creates the illusion of «huge support for the russian invasion of Ukraine». But along with the real profiles of the company «Twitter» found a lot of fakes. For the most part, they distributed other people’s tweets, wrote almost nothing about themselves and were created very recently. Tracked 9,907 profiles that distributed tweets in support of russia on March 2 and 3 in several languages. As a result, CASM found that more than a thousand of these accounts had the same signs of spam. As Twitter told BBC reporters, more than 100,000 accounts have been removed since the start of the russian-Ukrainian war for violating the platform’s policies, including blocking dozens of accounts with the hashtags #IStandWithrussia and #IStandWithputin. Also, the Twitter team has so far investigated and blocked hundreds of accounts listed in the CASM study, including 11 of the 12 accounts that found the use of photos from other people’s profiles. Thus, the Kremlin’s cyber warriors are doing very poorly and their illegal activities will never raise the ratings of their masters [5].
G7 will transfer technologies to Ukraine to protect against cyberattacks
The G7 will provide Ukraine with hardware to better protect itself from cyberattacks in the war with russia. This was stated by German Minister of Digitalization Volker Wissing after an online meeting with Mikhail Fedorov. It is still unknown what technology will be transferred to Ukraine. The head of the Ministry of Digitalization Fedorov said that he would send a list of specific needs [6].
Senator business center, 32/2, Dukes of Ostrozhsky, Kyiv
+38 (050) 428 44 68 (Ukraine), +1 (786) 755 8398 (USA)© 2023 GLOBAL CYBER COOPERATIVE CENTER (GC3). All rights reserved