The 7th of July, Cyber News

Ukraine 

Cyber Attack UAC-0056 on State Organizations of Ukraine Using Cobalt Strike Beacon (CERT-UA#4914)

The document contains a macro, the activation of which will lead to the creation and launch of the «write.exe» file on the computer. The mentioned file acts as a dropper, ensuring that the file «%PROGRAMDATA%\TRYxaEbX» is created on disk, decrypted (RC4) and then run the PowerShell script. In addition, the EXE file also provides its own persistence by creating a «Check License» key in the «Run» branch of the Windows registry. The resulting PowerShell script, in addition to bypassing AMSI and disabling event logging for PowerShell, will decode and decompress the data into the following PowerShell script, which in turn will execute the Cobalt Strike Beacon malware. With an average level of confidence, we associate the detected activity with the activity of the UAC-0056 group. ^[1]

The Zaporozhye Editorial Office of Inform.zp.ua Is Again Threatened with Criminal Prosecution from russia

The Zaporizhia editorial office of inform.zp.ua received two letters with poetic threats from russia in the last week. Yes, a letter from the user «Elmira Afanasyeva» with the subject «Very important!» came to the editorial mail from the russian mail service inbox.ru on July 1. In it, again with poems, the author threatened the staff of the editorial office with criminal responsibility for their journalistic activities. In particular, the letter read: «The russian army is the liberators, they are conducting an operation to save you. And you, the propagandists-disseminators, cannot avoid criminal responsibility!». Already on July 4, the editors received a letter from «Yana Vlasova» with the subject «Reminder». In the message, also sent from the russian mail service inbox.ru, the author «reminded» about the following: «V means «victory», Z means «for us!» Your song is performed by propagandist lying mouths!» ^[2]

NATO Will Strengthen Ukraine’s Cyber Defense

At this year’s Madrid Summit, the Alliance updated the Comprehensive Assistance Package for Ukraine. In the field of cyber security, NATO will pay attention to building Ukraine’s capabilities, providing the necessary equipment and training personnel, as a result of which Ukraine should acquire the ability to protect its infrastructure from the most modern cyber attacks. An important direction of cooperation should be the joint counteraction and termination of the activities of persons who live on the territory of NATO member countries and provide support to the hybrid aggression of the russian Federation in the cyber sphere. Ukraine is also expected to join NATO’s Joint Advanced Technologies Center for Cyber ​​Defense as a permanent member soon. Ukraine submitted an official request to join the Center on August 4, 2021, and on March 4, 2022, Ukraine’s application was unanimously supported by all members of the organization’s Steering Committee. Ukraine has been actively cooperating with NATO in the field of cyber security since 2014 and has achieved considerable success. As noted in the Pentagon, since the beginning of the great war, none of the numerous russian hacking attacks had a critical impact on the Ukrainian infrastructure. ^[3]

The Work of SSU in Odessa Region

In Odesa, cyber specialists of the Security Service of Ukraine neutralized a network of five russian Internet agents who were «dispersing» destructive posts through social networks. ^[4]

russia  

«russian Military, Surrender!» TheWebsite of the Singer Gradsky Became a Mouthpiece of the Truth about the War in Ukraine

Thanks to Ukrainian hackers, the website of the late People’s Artist of russia, singer and composer Oleksandr Gradsky became a mouthpiece of the truth about the war in Ukraine. On the main page you can see real losses of russian soldiers, calls to surrender and pro-Ukrainian clips. Volodymyr Tymynskyi, a resident of the city of Dnipro, who is listed in the “authors” section and is the only Ukrainian on the list, is probably behind this. You can familiarize yourself with the updated tape on the website of the late Gradsky. New posts on the page appear every 3-5 days. Usually, the author indicates actual data on the losses of the russian military and their equipment. Also, messages always contain a call to surrender and the phone number of the Ministry of Defense of Ukraine. «Practically the only way to stay alive for russian soldiers is to surrender!» — the posts say. Sometimes the statistics are «diluted» with extended news about the defeats of the russian Army and other problems of the russian federation on the battlefield.

In addition to the author’s texts, the hacker posts anti-war clips and songs by russian bands, advertisements, recordings of conversations with captured occupiers, and other pro-Ukrainian videos on the website. In addition, a part of the main tape is highlighted with quotes from Oleksandr Gradskyi, which carry a political connotation and disagreement with the current regime. ^[5]

The russian Website of the IKEA Company Was Hacked

«Yesterday, they really opened, they started fulfilling orders, some made it, and some didn’t. A bot attack began and took down the site: both russian and foreign. That is, someone purposefully staged a hacker attack,» he noted. According to the interlocutor of the agency, this problem is planned to be solved within a few days. The online sale of household goods from the IKEA company started on the night of July 4-5, 2022. At the same time, users who tried to add selected products to the cart encountered a failure. Later, a message appeared on IKEA’s website stating that checkout on the website and through the Customer Support Center is temporarily unavailable «for technical reasons». On June 15, IKEA announced the sale of all four factories in russia. At the end of June, the company began notifying shopping centers where its stores are located of its intention to terminate the lease contracts early. ^[6]

World

A British Jewelry Corporation Paid a $7.5 Million Ransom to russian Hackers

The hacking group Conti, which is associated with the russian Federation, hacked the customer base of the British jewelry corporation Graff Diamonds and forced to pay $7.5 million in order to prevent data on high-ranking customers from being widely accessed. «The British jewelry corporation Graff Diamonds paid $7.5 million in bitcoins to a russian hacking group after the leak of data on the jewelry company’s famous customers,» Bloomberg notes, referring to a court case opened in London. It is understood that Graff Diamonds has sued its insurer for damages caused by the hackers. The corporation said that the payment should be compensated according to their policy. Instead, the insurance company refuses to pay these losses. The attack on the jewelry corporation took place in September 2021, but its details became known only now. The hacker group Conti, which is linked to russia, carried out the attack. In particular, a database with customer names, including data on the royal families of Saudi Arabia, the UAE, and Qatar, was hacked and partially made public. The hackers demanded a $15 million ransom from the jewelry corporation to stop publishing the stolen data. However, the jewelry company said it could only pay half, and the amount of $7.5 million (118 bitcoins at the current exchange rate) was transferred on November 3. Instead, the next day, the price of Bitcoin plummeted. Now, it is not known whether the hackers had time to carry out cash transactions, because already on November 4, the value of 118 bitcoins was $2.3 million. ^[7]