%%%%%#########%%%%%                              
                    ###%%%%##                 &%%%                          
               (#####%%          /.. .,,,,&      .%%                        
           //((###            . ...**//((... ,     %%                       
       ***//((               (..***//((...*#,,,     %%                      
   *******                  #(#./((((#......,%#(     %                      
    *****                   @%##....#%%%%%,,%#((     %                      
      ****//                 %%%%,,%%%%%%%**/((     #                       
         *//((#*               %%,%%%%%##((((      %                        
            ((####%               ,((((((/                                  
               #####%%#,                                         **         
                   ##%%%#####                              //**             
                        %%%%#########%.          ######((/                  
                               %%%%%#%%%%%%%%%#####                         
                               
                              by Curated Intelligence      

Ukraine-Cyber-Operations

Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. (Blog | Twitter | LinkedIn)

Analyst Comments:

• 2022-02-25
  • Creation of the initial repository to help organisations in Ukraine
• 2022-02-26
  • Additional resources, chronilogically ordered (h/t Orange-CD), plus a section on vetted OSINT sources and Miscellaneous resources

Threat Reports

Date	Source	Threat(s)	URL
14 JAN	SSU Ukraine	Website Defacements	ssu.gov.ua
15 JAN	Microsoft	WhisperGate wiper	microsoft.com
23 JAN	RaidForums	Data broker "Mont4na" offering UkrFerry	RaidForums [not linked]
23 JAN	RaidForums	Data broker "Mont4na" offering PrivatBank	RaidForums [not linked]
24 JAN	RaidForums	Data broker "Mont4na" offering DTEK	RaidForums [not linked]
31 JAN	Symantec	Gamaredon/Shuckworm/PrimitiveBear (FSB)	symantec-enterprise-blogs.security.com
2 FEB	CERT-UA	UAC-0056 using SaintBot and OutSteel malware	cert.gov.ua
3 FEB	PAN Unit42	Gamaredon/Shuckworm/PrimitiveBear (FSB)	unit42.paloaltonetworks.com
4 FEB	Microsoft	Gamaredon/Shuckworm/PrimitiveBear	microsoft.com
8 FEB	NSFOCUS	Lorec53	nsfocusglobal.com
23 FEB	UK NCSC	Sandworm/VoodooBear (GRU)	ncsc.gov.uk
23 FEB	SentinelLabs	HermeticWiper	sentinelone.com
24 FEB	ESET	HermeticWiper	welivesecurity.com
24 FEB	Symantec	HermeticWiper	symantec-enterprise-blogs.security.com
24 FEB	Cisco Talos	HermeticWiper	blog.talosintelligence.com
24 FEB	Zscaler	HermeticWiper	zscaler.com
24 FEB	CronUp	Data broker "FreeCvilian" offering multiple .gov.ua	twitter.com/1ZRR4H
24 FEB	RaidForums	Data broker "Featherine" offering diia.gov.ua	RaidForums [not linked]
25 FEB	@500mk500	Gamaredon/Shuckworm/PrimitiveBear (FSB)	twitter.com/500mk500
25 FEB	@500mk500	Gamaredon/Shuckworm/PrimitiveBear (FSB)	twitter.com/500mk500
25 FEB	Microsoft	HermeticWiper	gist.github.com
25 FEB	360 NetLab	DDoS (Mirai, Gafgyt, IRCbot, Ripprbot, Moobot)	blog.netlab.360.com
25 FEB	Conti [themselves]	Conti ransomware, BazarLoader	Conti News .onion [not linked]
25 FEB	CoomingProject [themselves]	Data Hostage Group	CoomingProject Telegram [not linked]
25 FEB	CERT-UA	UNC1151/Ghostwriter (Belarus MoD)	CERT-UA Facebook
25 FEB	Sekoia	UNC1151/Ghostwriter (Belarus MoD)	twitter.com/sekoia_io
25 FEB	@jaimeblascob	UNC1151/Ghostwriter (Belarus MoD)	twitter.com/jaimeblasco
25 FEB	RISKIQ	UNC1151/Ghostwriter (Belarus MoD)	community.riskiq.com
25 FEB	MalwareHunterTeam	Unknown phishing	twitter.com/malwrhunterteam
25 FEB	ESET	Unkown scammers	twitter.com/ESETresearch
25 FEB	SSSCIP Ukraine	Unkown phishing	twitter.com/dsszzi
25 FEB	RaidForums	Data broker "NetSec" offering FSB (likely SMTP accounts)	RaidForums [not linked]
25 FEB	Zscaler	PartyTicket decoy ransomware	zscaler.com
25 FEB	INCERT GIE	Cyclops Blink, HermeticWiper	linkedin.com [Login Required]
25 FEB	Proofpoint	UNC1151/Ghostwriter (Belarus MoD)	twitter.com/threatinsight
26 FEB	CERT-UA	UNC1151/Ghostwriter (Belarus MoD)	CERT_UA Facebook

Vendor Support

Vendor	Offering	URL
Dragos	Access to Dragos service if from US/UK/ANZ and in need of ICS cybersecurity support	twitter.com/RobertMLee
GreyNoise	Any and all Ukrainian emails registered to GreyNoise have been upgraded to VIP which includes full, uncapped enterprise access to all GreyNoise products	twitter.com/Andrew___Morris
Recorded Future	Providing free intelligence-driven insights, perspectives, and mitigation strategies as the situation in Ukraine evolves	recordedfuture.com
Flashpoint	Free Access to Flashpoint’s Latest Threat Intel on Ukraine	go.flashpoint-intel.com
ThreatABLE	A Ukraine tag for free threat intelligence feed that's more highly curated to cyber	twitter.com/threatable
Orange	IOCs related to Russia-Ukraine 2022 conflict extracted from our Datalake Threat Intelligence platform.	github.com/Orange-Cyberdefense
FSecure	F-Secure FREEDOME VPN is now available for free in all of Ukraine	twitter.com/FSecure
Multiple vendors	List of vendors offering their services to Ukraine for free, put together by @chrisculling	docs.google.com/spreadsheets

Vetted OSINT Sources

Handle	Affiliation
@KyivIndependent	English-language journalism in Ukraine
@KyivPost	English-language journalism in Ukraine
@Shayan86	BBC World News Disinformation journalist
@Liveuamap	Live Universal Awareness Map (“Liveuamap”) independent global news and information site
@DAlperovitch	The Alperovitch Institute for Cybersecurity Studies, Founder & Former CTO of CrowdStrike
@COUPSURE	OSINT investigator for Centre for Information Resilience
@netblocks	London-based Internet's Observatory

Miscellaneous Resources

Source	URL	Content
PowerOutages.com	https://poweroutage.com/ua	Tracking PowerOutages across Ukraine