New Somnia ransomware attacks target corporations in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) reported the spread of a new ransomware strain called ‘Somnia’, attributing the attacks to the Russian threat actor known as ‘From Russia with Love’ (FRwL), also known as ‘Z-Team’. The ransomware attacks targeted Ukrainian corporations’ employees, using their Telegram accounts to try and gain access to a corporate network.

As explained by CERT-UA, the group used fake sites that mimic the ‘Advanced IP Scanner’ software, which, if downloaded, infects the victim’s computer with the Vidar data-stealing malware that can capture Telegram session data, as well as take over the victim’s account.

Then, the threat actors used victims’ Telegram accounts to gain access to the corporate network. Once access to the target’s network was obtained, the hackers executed reconnaissance operations using tools like Netscan and deployed Cobalt Strike Beacons before exfiltrating data.

According to CERT-UA, the group had previously revealed that they created Somnia ransomware on Telegram and posted evidence of the attacks they made against Ukrainian targets.

Amazon fined in Russia

A Moscow court fined US giant Inc a total of 4 million roubles (US$16,150) for failing to remove illegal content, Interfax reported. According to the court’s ruling, Amazon had failed to delete banned content related to drug use and suicide.

It is the first such fine imposed on Amazon, while other US-based giants have come under pressure in Russia in recent months, with Meta being labelled as an ‘extremist’. On the other hand, Google and Apple received fines for refusing to localise the Russian users’ database in Russian territory.

US airport websites knocked offline by ‘Killnet’ hackers

More than a dozen airport websites in the USA have been targeted by a series of distributed denial-of-service (DDoS) attacks. The hackers targeted some of the nation’s largest airports, which appeared inaccessible on Monday morning. However, as later confirmed, no actual air travel disruptions were reported. The attacks were attributed to a pro-Russian hacktivist organisation Killnet, as they have previously listed multiple US airports as potential targets.

In the previous week, the same group took responsibility for knocking offline US state government websites in Colorado, Kentucky, and Mississippi, among others.

Russian retail chain ‘DNS’ targeted in a cyberattack

Russia’s second-largest computer and home appliance store – ‘DNS’ (Digital Network System) – suffered a data breach that exposed the sensitive personal information of customers and employees, the company confirmed.

According to reports, attacks are allegedly the work of pro-Ukrainian hackers. On the other hand, the Kyiv Post claims that the attacks are being carried out by hackers tied to the so-called ‘National Republican Army’ (NRA), a group of dissidents aiming to overthrow Putin.

The DNS has not given much information on the subject of what data was compromised, though it was made clear that the hackers did not acquire user passwords or payment card information since these details are not kept on their systems. The stolen data contains full names, usernames, email addresses, and phone numbers of DNS customers and employees, accounting for 16 million people.

SoundCloud blocked in Russia

SoundCloud, a Germany-based online audio distribution platform and music-sharing website, has been blocked in Russia over an accusation of spreading prohibited content.

Russia’s telecoms watchdog, Roskomnadzor, has restricted access to SoundCloud at the request of the Russian Prosecutor General’s Office received on 22 September.

SoundCloud is accused of spreading prohibited information in Russia that contained ‘calls for mass riots and participation in unauthorized actions, extremism, as well as unreliable socially significant information distributed under the guise of reliable messages’.

Ukrainian hackers reportedly targeted the  Russian payment system ‘Mir’

Russian media report that Ukrainian hackers launched a large-scale DDoS attack on the ‘Mir payment system’ and its operator, the National Payment Card System (NSPK).

The cyberattack was confirmed to Kommersant by specialists in the Russian cybersecurity market. As explained, the attackers generated traffic to systems using browsers or primitive DDoS tools to cause interruptions in payments and terminals.

It is also reported that, since the beginning of the military operation in Ukraine, the entire Russian IT infrastructure has been subjected to massive hacker attacks. Still, there has been no information about vulnerabilities in the Mir system.

Russia is developing software for critical industries to replace imports

Russia is developing ‘heavy duty’ software solutions, especially for the oil and gas industry, to replace the software of businesses which have left Russia due to the sanctions, Deputy Prime Minister and Industry and Trade Minister Denis Manturov stated.

According to the minister, Russia has to develop software alternatives in order to ‘meet the critically important needs of Russian companies’. He also noted that ‘the largest companies, leaders in various fields – engineering, electronics, metallurgy, and the oil and gas sector – are involved in this work.’

Sandworm impersonates Ukrainian telecoms providers to deploy malware

Sandworm, a hacking group allegedly linked with Russian authorities, continues its campaign against Ukrainian entities. Threat actors are targeting their victims this time by impersonating telecoms companies, according to the latest research by Recorded Future

Attacks were executed by luring people into visiting compromised sites, usually through emails sent from domains that pretend to originate from a Ukrainian telecommunications company.

Recorded Future has noticed an increase in Sandworm command and control (C2) infrastructure using dynamic DNS names impersonating Ukrainian telecommunications service providers. Recent operations target vital Ukrainian systems with malware such as Colibri Loader and the Warzone RAT (remote access trojan).

The finding further claims that Sandworm has upgraded its command and control (C2) infrastructure. However, this happened gradually, allowing Recorded Future to confidently link current actions to the threat actor using past data from CERT-UA reports. 

The cybercrime group has previously been linked with a number of cyberattacks, including those on Ukrainian energy infrastructure and the ‘deployment of a persistent botnet named Cyclops Blink.’

Montenegro attributes cyberattacks on its critical infrastructure to Russia

In recent weeks, several Eastern European states have been targeted by cyberattacks attributed to Russia. Targets were hit primarily by disruptive denial of service campaigns on networks in Moldova, Slovenia, Bulgaria, Estonia, and Albania.

However, the attack on Montenegro’s digital infrastructure proved to be the most devastating, which had several targets, including water supply systems, electrical systems, transportation services, and online governmental services. According to government officials, cyberattacks continue to target the information system of Montenegrin institutions, although no long-term effects are expected.

A Russian threat actor, dubbed the Cuba Ransomware Group, claimed responsibility for the attacks and stated it obtained ‘financial documents, correspondence with bank employees, account movements, balance sheets, tax documents’ from Montenegro’s parliament on 19 August, Reuters reported.