From c5df6a083f1103679087df39f08f47a40a5a3448 Mon Sep 17 00:00:00 2001 From: Kyle Date: Tue, 14 Mar 2023 14:18:44 -0400 Subject: [PATCH] Updated Threat Report Timelines Updated Threat Report Timelines --- Threat Reports/August.md | 5 ++++- Threat Reports/December.md | 2 ++ Threat Reports/February2023.md | 4 +++- Threat Reports/January2023.md | 1 + Threat Reports/July.md | 4 ++++ Threat Reports/November.md | 8 ++++---- Threat Reports/October.md | 3 +-- Threat Reports/September.md | 1 + 8 files changed, 20 insertions(+), 8 deletions(-) diff --git a/Threat Reports/August.md b/Threat Reports/August.md index bb12341..89c5603 100644 --- a/Threat Reports/August.md +++ b/Threat Reports/August.md @@ -4,6 +4,9 @@ | 8 August | Gazeta | Gazeta ru published an interview with Killmilk, the founder of Killnet, who says he left the group to do riskier stuff | [gazeta.ru](https://www.gazeta.ru/tech/2022/08/07/15229652.shtml) | | 9 August | Yle | NBI launches probe into attack on Finnish Parliament site - The National Bureau of Investigation (NBI) has launched a probe into the denial of service attack, which allegedly originated from Russia. | [yle.fi](https://yle.fi/a/3-12569719) | | 10 August | DarkTrace | Threat actor tactics in the Russo-Ukrainian conflict: analyst observations and predictions | [darktrace.com](https://darktrace.com/blog/threat-actor-tactics-in-the-russo-ukrainian-conflict-analyst-observations-and-predictions) | +| 10 August | CERT-UA | Cyberattacks of the UAC-0010 group (Armageddon): malicious programs GammaLoad, GammaSteel (CERT-UA#5134) | [cert.gov.ua](https://cert.gov.ua/article/1229152) | | 11 August | DEF CON - Kenneth Geers | Computer Hacks in the Russia-Ukraine War | [media.defcon.org](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Kenneth%20Geers%20-%20Computer%20Hacks%20in%20the%20Russia-Ukraine%20War%20-%20paper.pdf) | | 18 August | @cyberknow20 | Russian cyberarmy is targeting a Finnish satellite imagery company. The majority of attacks continue to be driven by geopolitical factors. | [twitter.com/cyberknow20](https://twitter.com/cyberknow20/status/1560253423856934912) | -| 30 August | @cpartisans | Belarus Cyber Partisans group claim to have stolen passport copies for all of Belarus | [twitter.com/cpartisans](https://twitter.com/cpartisans/status/1564639766783692800) | \ No newline at end of file +| 30 August | @cpartisans | Belarus Cyber Partisans group claim to have stolen passport copies for all of Belarus | [twitter.com/cpartisans](https://twitter.com/cpartisans/status/1564639766783692800) | +| 30 August | CERT-UA | UAC-0100 - Online fraud using the subject of "cash payments" (CERT-UA#5239) | [cert.gov.ua](https://cert.gov.ua/article/1545776) | +| 31 August | CERT-UA | UAC-0120 - Mass distribution of the AgentTesla malware (CERT-UA#5252) | [cert.gov.ua](https://cert.gov.ua/article/1563322) | \ No newline at end of file diff --git a/Threat Reports/December.md b/Threat Reports/December.md index 06c7dc2..d1a12c6 100644 --- a/Threat Reports/December.md +++ b/Threat Reports/December.md @@ -4,9 +4,11 @@ | 2 December | PWC | Blue Callisto orbits around US Laboratories in 2022 | [pwc.com](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html) | | 5 December | Recorded Future | Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations | [recordedfuture.com](https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations) | | 5 December | Sekoia | Calisto show interests into entities involved in Ukraine war support | [sekoia.com](https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/) | +| 8 December | CERT-UA | Cyber attack on government organizations using the theme of Iranian Shahed-136 kamikaze drones and DolphinCape malware (CERT-UA#5683) | [cert.gov.ua](https://cert.gov.ua/article/3192088) | | 10 December | Mandiant | Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | [mandiant.com](https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government) | | 12 December | Carnegie Endowment | Cyber Operations in Ukraine: Russia’s Unmet Expectations | [carnegieendowment.org](https://carnegieendowment.org/2022/12/12/cyber-operations-in-ukraine-russia-s-unmet-expectations-pub-88607) | | 16 December | Carnegie Endowment | Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications | [carnegieendowment.org](https://carnegieendowment.org/2022/12/16/russia-s-wartime-cyber-operations-in-ukraine-military-impacts-influences-and-implications-pub-88657) | +| 18 December | CERT-UA | Cyber attack on DELTA system users using RomCom/FateGrab/StealDeal malware (CERT-UA#5709) | [cert.gov.ua](https://cert.gov.ua/article/3349703) | | 19 December | Carnegie Endowment | What the Russian Invasion Reveals About the Future of Cyber Warfare | [carnegieendowment.org](https://carnegieendowment.org/2022/12/19/what-russian-invasion-reveals-about-future-of-cyber-warfare-pub-88667) | | 20 December | Unit42 | Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine| [unti42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/trident-ursa/) | | 26 December | Telegraph | German double agent ‘passed Ukraine intelligence to Russia’ | [telegraph.co.uk](https://www.telegraph.co.uk/world-news/2022/12/26/german-double-agent-passed-uk) | diff --git a/Threat Reports/February2023.md b/Threat Reports/February2023.md index 6fadc75..9a27606 100644 --- a/Threat Reports/February2023.md +++ b/Threat Reports/February2023.md @@ -1,5 +1,7 @@ #### `February Threat Reports` | Date | Source | Threat(s) | URL | | --- | --- | --- | --- | +| 1 FEB | CERT-UA | Activity of the group UAC-0114 (Winter Vivern) in relation to the state bodies of Ukraine and Poland (CERT-UA#5909) | [cert.gov.ua](https://cert.gov.ua/article/3761023) | +| 6 FEB | CERT-UA | Cyberattack UAC-0050 against the state bodies of Ukraine using the program for remote control and surveillance Remcos (CERT-UA#5926) | [cert.gov.ua](https://cert.gov.ua/article/3804703) | | 8 FEB | Symantex | Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine | [symantec-enterprise-blogs.security.com](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer)| - +| 13 FEB | CERT-UA | Cyber attack on organizations and institutions of Ukraine using the Remote Utilities program (CERT-UA#5961| [cert.gov.ua](https://cert.gov.ua/article/3863542) | diff --git a/Threat Reports/January2023.md b/Threat Reports/January2023.md index 61e18e4..2e72d04 100644 --- a/Threat Reports/January2023.md +++ b/Threat Reports/January2023.md @@ -12,6 +12,7 @@ | 25 JAN | Reuters | Russian 'hacktivists' briefly knock German websites offline | [reuters.com](https://www.reuters.com/world/europe/russian-hacktivists-briefly-knock-german-websites-offline-2023-01-25/)| | 27 JAN | Team Cymru | A Blog with NoName - Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations | [team-cymru.com](https://www.team-cymru.com/post/a-blog-with-noname)| | 27 JAN | @esetresearch | BREAKING On January 25th #ESETResearch discovered a new cyberattack in Ukraine. SwiftSlicer | [twitter.com/ESETresearch](https://twitter.com/ESETresearch/status/1618960022150729728)| +| 27 JAN | CERT-UA | Cyber attack on the Ukrinform information and communication system (CERT-UA#5850) | [cert.gov.ua](https://cert.gov.ua/article/3718487) | | 29 JAN | Security Affairs | IT Army of Ukraine claims to have breached and leaded data from Gazprom in Russia | [securityaffairs.com](https://securityaffairs.com/141640/hacktivism/it-army-of-ukraine-hacked-gazprom.html)| | 31 JAN | ESET | APT ACTIVITY REPORT T3 2022 | [welivesecurity.com](https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf)| | 31 JAN | ESET | ESET Research: Russian APT groups, including Sandworm, continue their attacks against Ukraine with wipers and ransomware| [eset.com](https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-russian-apt-groups-including-sandworm-continue-their-attacks-against-ukraine-with-wipe/)| diff --git a/Threat Reports/July.md b/Threat Reports/July.md index af855fa..952fa68 100644 --- a/Threat Reports/July.md +++ b/Threat Reports/July.md @@ -10,7 +10,11 @@ | 19 JULY | CERT-PL | Continued cyber activity in Eastern Europe observed by TAG: Turla APKs, Follina vulnerability, Ghostwriter/UNC1151, COLDRIVER | [blog.google](https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/) | | 20 JULY | US CYBERCOM | Cyber National Mission Force discloses IOCs from Ukrainian networks | [cybercom.mil](https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/) | | 20 JULY | Mandiant | UNC1151 and suspected UNC2589 operations leveraging phishing with malicious documents leading to malware infection chains with themes related to public safety and humanitarian emergencies | [mandiant.com](https://www.mandiant.com/resources/spear-phish-ukrainian-entities) | +| 20 JULY | CERT-UA | UAC-0120 - Cyber attack on state organizations of Ukraine using the OK theme "South" and the malicious program AgentTesla (CERT-UA#4987) | [cert.gov.ua](https://cert.gov.ua/article/861292) | | 21 JULY | Talos | Attackers target Ukraine using GoMet backdoor | [blog.talosintelligence.com](https://blog.talosintelligence.com/attackers-target-ukraine-using-gomet/) | | 21 JULY | CyberScoop | Cyber criminals attack Ukrainian radio network, broadcast fake message about Zelensky’s health | [cyberscoop.com](https://cyberscoop.com/hackers-infiltrate-ukrainian-radio-network-broadcast-fake-message-about-zelenskys-health/) | +| 25 JULY | CERT-UA | UAC-0041 - Mass distribution of stealers (Formbook, Snake Keylogger) and use of RelicRace/RelicSource malware as a means of delivery (CERT-UA#5056) | [cert.gov.ua](https://cert.gov.ua/article/955924) | +| 26 JULY | CERT-UA | Cyber attacks of the UAC-0010 group (Armageddon) using the malicious program GammaLoad.PS1_v2 (CERT-UA#5003,5013,5069,5071) | [cert.gov.ua](https://cert.gov.ua/article/971405) | +| 27 JULY | CERT-UA | UAC-0100 - Online fraud using the subject of "aid from the Red Cross" (CERT-UA#5063) | [cert.gov.ua](https://cert.gov.ua/article/987552) | | 27 JULY | VxUnderground | VX-Underground uploads sample of malware used by Killnet to DDos Lithuania | [twitter.com](https://twitter.com/vxunderground/status/1552361257822478341) | | 27 JULY | US DHS CISA | United States (CISA) and Ukraine Expand Cooperation on Cybersecurity| [cisa.gov](https://www.cisa.gov/news/2022/07/27/united-states-and-ukraine-expand-cooperation-cybersecurity) | \ No newline at end of file diff --git a/Threat Reports/November.md b/Threat Reports/November.md index 94e6a2d..0560969 100644 --- a/Threat Reports/November.md +++ b/Threat Reports/November.md @@ -2,10 +2,10 @@ | Date | Source | Threat(s) | URL | | --- | --- | --- | --- | | 3 November | Carnegie Endowment | Evaluating the International Support to Ukrainian Cyber Defense | [carnegieendowment.org](https://carnegieendowment.org/2022/11/03/evaluating-international-support-to-ukrainian-cyber-defense-pub-88322) | +| 8 November | CERT-UA | Cyber attack of the UAC-0010 group: sending e-mails, apparently, on behalf of State Special Communications (CERT-UA#5570) | [cert.gov.ua](https://cert.gov.ua/article/2681855) | +| 9 November | CERT-UA | UAC-0133 - Distribution of e-mails with a fake scanner, supposedly on behalf of CERT-UA (CERT-UA#5583) | [cert.gov.ua](https://cert.gov.ua/article/2698320) | +| 11 November | CERT-UA | Information on cyberattacks of the group UAC-0118 (FRwL) using the Somnia malware (CERT-UA#5185) | [cert.gov.ua](https://cert.gov.ua/article/2724253) | | 14 November | CRDF Global | CRDF Global Becomes Platform for Cyber Defense Assistance Collaborative (CDAC) for Ukraine, Receives Grant from Craig Newmark Philanthropies | [carnegieendowment.org](https://www.crdfglobal.org/news/crdf-global-becomes-platform-for-cyber-defense-assistance-collaborative-cdac-for-ukraine-receives-grant-from-craig-newmark-philanthtrellix.coropies/) | | 15 November | Trellix | Wipermania: An All You Can Wipe Buffet | [trellix.com](https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html) | | 21 November | @esetresearch | On November 21st ESETResearch detected and alerted CERT_UA of a wave of ransomware we named RansomBoggs, deployed in multiple organizations in Ukraine. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. | [twitter.com/esetresearch](https://twitter.com/ESETresearch/status/1596181925663760386) | -| 23 November | Trustwave | Killnet Claims Attacks Against Starlink, Whitehouse.gov, and United Kingdom Websites | [trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/killnet-claims-attacks-against-starlink-whitehousegov-and-united-kingdom-websites/) | - - - +| 23 November | Trustwave | Killnet Claims Attacks Against Starlink, Whitehouse.gov, and United Kingdom Websites | [trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/killnet-claims-attacks-against-starlink-whitehousegov-and-united-kingdom-websites/) | \ No newline at end of file diff --git a/Threat Reports/October.md b/Threat Reports/October.md index 051fe44..2aee91a 100644 --- a/Threat Reports/October.md +++ b/Threat Reports/October.md @@ -6,5 +6,4 @@ | 13 October | Radware | Project DDOSIA Russia's answer to disBalancer | [radware.com](https://www.radware.com/security/threat-advisories-and-attack-reports/project-ddosia-russias-answer-to-disbalancer/) | | 14 October | Microsoft | New “Prestige” ransomware impacts organizations in Ukraine and Poland | [microsoft.com](https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/) | | 19 October | Intel471 | Pro-Russian Hacktivism and Its Role in the War in Ukraine | [intel471.com](https://intel471.com/blog/pro-russian-hacktivism-and-its-role-in-the-war-in-ukraine) | - - +| 22 October | CERT-UA | UAC-0132 - Cyber attack on state organizations of Ukraine using RomCom malware. Possible involvement of Cuba Ransomware aka Tropical Scorpius aka UNC2596 (CERT-UA#5509) | [cert.gov.ua](https://cert.gov.ua/article/2394117) | \ No newline at end of file diff --git a/Threat Reports/September.md b/Threat Reports/September.md index 9b4b606..a1ec128 100644 --- a/Threat Reports/September.md +++ b/Threat Reports/September.md @@ -2,6 +2,7 @@ | Date | Source | Threat(s) | URL | | --- | --- | --- | --- | | 7 September | Google TAG | Initial access broker repurposing techniques in targeted attacks against Ukraine (UAC-0098) | [blog.google/threat-analysis-group](https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/) | +| 12 September | CERT-UA | Regarding urgent cyber protection measures | [cert.gov.ua](https://cert.gov.ua/article/1751036) | | 19 September | Record Future | Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine | [recordfuture.com](https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine) | | 23 September | Mandiant | GRU: Rise of the (Telegram) MinIOns | [mandiant.com](https://www.mandiant.com/resources/blog/gru-rise-telegram-minions) | | 26 September | Ukrainian Govt | Invaders Preparing Mass Cyberattacks on Facilities of Critical Infrastructure of Ukraine and Its Allies | [gur.gove.ua](https://gur.gov.ua/en/content/okupanty-hotuiut-masovani-kiberataky-na-ob-iekty-krytychnoi-infrastruktury-ukrainy-ta-ii-soiuznykiv.html) | \ No newline at end of file