Cyberconflict and warfare

Emerging cyber threats in Russia: Nova malware’s impact and the escalating cyber landscape

Multiple Russian cybersecurity firms have published research reports on emerging threats, including a large-scale information-stealing campaign targeting local organisations using the Nova malware.

According to a report from Moscow-based BI.ZONE, Nova is a commercial malware sold as a service on dark web marketplaces. Prices range from $50 for a monthly license to $630 for a lifetime license. Nova is a variant of SnakeLogger, a widely used malware known for stealing sensitive information.

While the developers of Nova remain unidentified, the code contains strings in Polish, and a Telegram group dedicated to promoting and supporting the malware was created in August 2024. The scale of the campaign and the full extent of its impact on Russian organisations remain unclear.

The BI.ZONE report comes at a time when Russian entities have been under increasing cyberattacks, many of which are suspected to be politically motivated and linked to state-sponsored groups.

Over the weekend, F.A.C.C.T. reported a cyberespionage campaign targeting chemical, food, and pharmaceutical companies in Russia, attributing the attacks to a state-backed group named Rezet (or Rare Wolf). Meanwhile, Solar reported an attack on Russian industrial facilities by the newly identified group APT NGC4020, which exploited a vulnerability in a SolarWinds tool.

The Nova malware collects a wide range of data, including saved authentication credentials, keystrokes, screenshots, and clipboard content. This stolen data can be used in a variety of malicious activities, such as facilitating ransomware attacks. The malware is distributed through phishing emails, often disguised as contracts, to trick employees in organisations that handle high volumes of email correspondence.

Sweden rules out sabotage in latest Baltic Sea cable cut

Swedish authorities have ruled out sabotage in the recent Baltic Sea fibre optic cable break, attributing the damage to adverse weather, faulty equipment, and poor seamanship.

Senior prosecutor Mats Ljungqvist of Sweden’s National Security Unit stated Monday that the vessel responsible for the 26 January incident, which severed an undersea cable between Latvia and Sweden, did not act with malicious intent.

Swedish officials, including the coast guard, police, and military, participated in the probe. While the vessel had been seized during the investigation, authorities have now lifted that restriction.

Google: Over 57 cyber threat actors using AI for hacking

Google identified more than 57 cyber threat actors linked to China, Iran, North Korea, and Russia leveraging the company’s AI technology to enhance their cyber and information warfare efforts. According to a new report by Google’s Threat Intelligence Group (GTIG), the state-sponsored hacking groups, known as Advanced Persistent Threats (APTs), primarily use AI for tasks such as researching vulnerabilities, writing malicious code, and creating targeted phishing campaigns.

The company says that Iranian APT actors, particularly APT42, were identified as the most frequent users of Google’s AI tool, Gemini. They used it for reconnaissance on cybersecurity experts and organizations, and phishing operations.

Beyond APT groups, underground cybercriminal forums have begun advertising illicit AI models, such as WormGPT, WolfGPT, FraudGPT, and GhostGPT—AI systems designed to bypass ethical safeguards and facilitate phishing, fraud, and cyberattacks.

In the report, Google stated that the company has implemented countermeasures to prevent abuse of its AI system and has called for stronger collaboration between government and private industry to bolster cybersecurity defenses.

German authorities on alert for election disinformation

With Germany’s parliamentary elections just weeks away, lawmakers are warning that authoritarian states, including Russia, are intensifying disinformation efforts to destabilise the country. Authorities are particularly concerned about a Russian campaign, known as Doppelgänger, which has been active since 2022 and aims to undermine Western support for Ukraine. The campaign has been linked to fake social media accounts and misleading content in Germany, France, and the US.

CSU MP Thomas Erndl confirmed that Russia is attempting to influence European elections, including in Germany. He argued that disinformation campaigns are contributing to the rise of right-wing populist parties, such as the AfD, by sowing distrust in state institutions and painting foreigners and refugees as a problem. Erndl emphasised the need for improved defences, including modern technologies like AI to detect disinformation, and greater public awareness and education.

The German Foreign Ministry recently reported the identification of over 50,000 fake X accounts associated with the Doppelgänger campaign. These accounts mimic credible news outlets like Der Spiegel and Welt to spread fabricated articles, amplifying propaganda. Lawmakers stress the need for stronger cooperation within Europe and better tools for intelligence agencies to combat these threats, even suggesting that a shift in focus from privacy to security may be necessary to tackle the issue effectively.

Greens MP Konstantin von Notz highlighted the security risks posed by disinformation campaigns, warning that authoritarian regimes like Russia and China are targeting democratic societies, including Germany. He called for stricter regulation of online platforms, stronger counterintelligence efforts, and increased media literacy to bolster social resilience. As the election date approaches, lawmakers urge both government agencies and the public to remain vigilant against the growing threat of foreign interference.

Israeli spyware firm Paragon accused of hacking WhatsApp users

WhatsApp has identified an advanced hacking campaign targeting nearly 90 users across more than two dozen countries. The attack, linked to Israeli spyware firm Paragon Solutions, exploited a zero-click vulnerability, meaning victims’ devices were compromised without them needing to interact with any malicious files. The messaging platform, owned by Meta, has since taken steps to block the hacking attempts and has issued a cease-and-desist letter to Paragon.

While WhatsApp has not disclosed the identities of those targeted, reports indicate that journalists and members of civil society were among the victims. The company has referred affected users to Citizen Lab, a Canadian watchdog that investigates digital security threats. Law enforcement agencies and industry partners have also been alerted, though specifics remain undisclosed.

Paragon, which was recently acquired by US investment firm AE Industrial Partners, has not commented on the allegations. The company presents itself as a responsible player in the spyware industry, claiming to sell its technology only to governments in stable democracies. However, critics argue that the continued spread of surveillance tools increases the risk of human rights abuses, with spyware repeatedly found on the devices of activists, journalists, and officials worldwide.

Cybersecurity experts warn that the growing use of commercial spyware poses an ongoing threat to digital privacy. Despite claims of ethical safeguards, the latest revelations suggest that even companies with supposedly responsible practices may be engaging in questionable surveillance activities.

OpenAI warns about Chinese firms accessing US AI

OpenAI has raised concerns about Chinese companies attempting to access US AI technologies to enhance their models. In a statement released on Tuesday, OpenAI highlighted the critical need to protect its intellectual property and the most advanced capabilities in its AI systems. The company emphasised that it has put in place countermeasures to safeguard its innovations and is working closely with the US government to protect the technology from being exploited by competitors and adversaries.

These comments come in response to the White House’s ongoing review of national security risks posed by Chinese AI companies, particularly the rapidly growing startup DeepSeek. The US government has been looking into potential threats as China increasingly seeks to advance its AI capabilities. David Sacks, the White House’s AI and crypto czar, explained that Chinese firms are using an AI technique called “distillation,” which allows them to extract knowledge from leading US AI models, further raising concerns about intellectual property theft.

OpenAI’s statement underscores the challenges and security risks that arise as AI becomes a critical technology with broad applications, from national defence to economic competitiveness. The company’s efforts to protect its proprietary AI models are part of a broader push by the US to ensure that its technological edge is not compromised by foreign competitors who might attempt to bypass intellectual property protections. The situation highlights the increasing geopolitical tension surrounding AI development, especially as China continues to make significant strides in the field.

EU sanctions three Russians over 2020 cyberattacks on Estonia

The European Union has imposed sanctions on three Russian nationals for their alleged role in cyberattacks targeting Estonia in 2020. Nikolay Korchagin, 28, Vitaly Shevchenko, 28, and Yuriy Denisov, 45—suspected operatives of the cyber division of Russia’s GRU military intelligence service—are accused of breaching classified Estonian government networks and stealing sensitive data.

According to the Council of the EU, the attacks compromised thousands of confidential documents, including business secrets, health records, and other critical information. In September 2024, Estonia publicly attributed the attack to Unit 29155, marking the first time the country formally identified a state-backed cyber operation.

‘Both a national and an international investigation that included 10 countries showed that Russia aimed to damage national computer systems, obtain sensitive information and strike a blow against our sense of security,’ Estonian Foreign Minister Margus Tsahkna stated at the time.

As part of the sanctions, Korchagin, Shevchenko, and Denisov face an asset freeze, a prohibition on EU individuals and businesses providing them with funds, and a travel ban barring them from entering or transiting through the EU territory.

The move follows a similar decision by the US government in September last year. The US Department of Justice indicted members of Unit 29155 and placed a $10 million bounty for information aiding prosecution. The indictment primarily focused on the WhisperGate cyberattack—a data-wiping operation targeting Ukraine ahead of Russia’s 2022 invasion. Korchagin and Denisov were specifically named in the US sanctions, while Shevchenko was labelled an ‘associated individual’ by the State Department.

Last year, the EU’s credibility in cyber sanctions was undermined when a clerical error in a formal sanctions notice mistakenly identified the wrong Russian intelligence agency responsible for a series of cyberattacks. Additionally, Bart Groothuis, a Dutch MEP and former Ministry of Defence employee, noted that the EU’s response remains fragmented, particularly in comparison to coordinated actions taken by the US and UK.

Undersea cable damaged between Latvia and Sweden

A fibre optic cable running under the Baltic Sea between Latvia and Sweden sustained significant damage, likely due to external factors, according to Latvian authorities. The incident prompted NATO to deploy patrol ships and launch a coordinated investigation with Sweden, where the Security Service seized control of a vessel as part of its probe. Latvian Prime Minister Evika Silina confirmed that her government is collaborating with NATO and neighboring Baltic Sea countries to determine the cause.

Senior prosecutor Mats Ljungqvist stated that investigators are conducting several actions but refrained from disclosing details due to the ongoing preliminary inquiry.

NATO’s recently launched ‘Baltic Sentry’ mission, involving naval and aerial assets, aims to safeguard critical infrastructure in the region following a series of incidents affecting cables, pipelines, and telecom links since Russia’s invasion of Ukraine in 2022. The project also includes the deployment of new technologies, including a small fleet of naval drones. Swedish Prime Minister Ulf Kristersson also emphasized close cooperation with NATO and Latvia in response to the situation.

The damaged cable, located in Sweden’s exclusive economic zone, connects Latvia’s Ventspils to Sweden’s Gotland island. The Latvian State Radio and Television Centre (LVRTC), which operates the cable, reported switching communications to alternative routes and is contracting a repair vessel. Repairs are expected to proceed more quickly than those for gas pipelines or power cables, as fibre optic cables in the Baltic Sea are typically restored within weeks.

This incident follows last month’s damage to the Finnish-Estonian Estlink 2 power line and telecom cables, reportedly caused by a Russian tanker dragging its anchor. Finnish and Swedish leaders underscored the importance of bolstering the protection of critical undersea infrastructure in the Baltic Sea. NATO also stated it reserves the right to act against ships deemed security risks while continuing to monitor the situation closely.

Japan introduces active cyber defence bill to strengthen national security

Among the 59 bills to be introduced to the Japanese government’s review this year within next 150 days, the Active Cyber Defense Legislation stands out due to its importance for Japan’s national security.

This bill, presented to the Liberal Democratic Party (LDP) on January 16 and swiftly approved, is part of an effort to bolster Japan’s cybersecurity capabilities. We also earlier reported that Japan’s Liberal Democratic Party proposed an ‘active cyber defence’ system, allowing the government to collect telecom metadata to detect and prevent cyberattacks as part of broader national security reforms to strengthen the country’s cybersecurity capabilities.

The proposed legislation includes three main components: improving collaboration between the public and private sectors, allowing the government to access telecommunications data in cases of suspected cyberattacks, and enabling the neutralisation of attackers’ servers. Critical infrastructure sectors such as energy, transportation, and telecommunications would be required to report cyber incidents, with the government offering guidance on damage control and prevention.

The bill also grants the government the ability to monitor specific communications between Japan and foreign nations, but limits this to non-content data to address privacy concerns. In the event of a major cyberattack, the Self-Defense Forces (SDF) may be deployed to defend critical systems.

Although the bill has received widespread support, it faces legal challenges, particularly with regard to Japan’s constitutional protection of communication secrecy and its pacifist defense policies. Despite these concerns, public opinion remains favorable, with a recent poll showing 65% support for the legislation.

The government is moving forward with the proposal, aiming to enhance the protection of Japan’s critical infrastructure from increasing cyber risks. While the Japanese Communist Party opposes the bill, it has gained backing from major opposition parties, highlighting its broad political support.

New hacking group mimics Russia-linked group to target Russian entities, Chinese cybersecurity experts say

A hacking group, named as GamaCopy, has been imitating the tactics of the Russia-linked threat actor Gamaredon to target Russian-speaking victims, according to research by Chinese cybersecurity firm Knownsec.

GamaCopy’s latest campaign employed phishing documents disguised as reports on Russian armed forces’ locations in Ukraine, along with the open-source software UltraVNC for remote access.

However, while GamaCopy mirrors many techniques used by Gamaredon, researchers identified notable differences. For example, GamaCopy primarily uses Russian-language victims, whereas Gamaredon typically targets Ukrainian speakers. Additionally, GamaCopy’s use of UltraVNC represents a unique element in its attack chain.

Since June 2023, GamaCopy has targeted Russia’s defense and critical infrastructure sectors. However, the group is believed to have been active even earlier, i.e. since August 2021. Knownsec’s analysis suggests that GamaCopy’s operations are part of a deliberate false-flag campaign and links the group to another state-sponsored actor known as Core Werewolf, which has similarly targeted Russian defense systems since 2021.

This discovery follows recent reports of other hacker groups, conducting cyber-espionage campaigns against Russian entities, highlighting the increasing complexity and state-backed nature of these threats.