Russian “Sandworm” Hackers Attacked NATO Country Poland – You Need To Know

Hacking into transport and logistics companies in Ukraine and Poland was the work of a notorious Russian military intelligence unit. This is the conclusion reached by Microsoft IT security researchers after forensically evaluating digital traces.

This could indicate an increased risk for organizations that deliver or transport humanitarian or military aid directly to Ukraine, Microsoft warns.

Why is that important?

The Washington Post quotes Microsoft Security Response Center (MSTIC) analyst Justin Warner: This is the first event since the beginning of the Russian invasion of Ukraine and the hacking of the Viasat satellite network, involving “a non-Ukrainian organization,” can be perceived as a (Russian) target.

Cyber-espionage analyst Ben Read, who works for Google-run IT security firm Mandiant, said it was the first cyberattack aimed at deliberately hitting a NATO target since the start of the war.

Who’s behind this?

The group behind the attacks is identified by the Microsoft Threat Intelligence Center (MSTIC) as “Iridium” and is known to a wider audience as “Sandworm”. On April 8, she tried to shut down several substations and other parts of the power supply for 2 million people in Ukraine. It is considered one of the most dangerous elite hacker groups in Russia and is said to belong to the Military Intelligence Service (GRU).

The main attack took place in early October. The attackers had previously penetrated the victims’ networks undetected and then tried to disable access to the affected IT systems using encryption software – codenamed “Prestige”.

According to the Microsoft report, all victims were attacked within an hour.

Sandworm has been carrying out cyber attacks on targets in Ukraine and Eastern Europe for years. One of the most devastating attacks was NotPetya 2017, a modified Windows encryption Trojan that spread worldwide.

Why are the Russians doing this?

By attacking logistics and transportation companies, Russian military intelligence could try to obstruct the flow of goods and materials to Ukraine. As is well known, the Russian armed forces have endured a number of military setbacks in recent months.

According to media reports, the flow of goods from partner countries to Ukraine is an important means for Ukraine to obtain the necessary supplies. Cyber ​​attacks on the IT infrastructure in Poland – a NATO ally – are one of the few ways Russia can retaliate against Ukraine’s logistics partners.

Microsoft has teamed up with the Ukrainian Computer Emergency Response Team (CERT) to investigate the attack and first announced the “Prestige” incident in a blog post on October 14. It is “very likely” that Sandworm is behind it.

Jean-Ian Boutin, director of threat research at Slovakian cybersecurity firm ESET, said the attribution was expected.

What new malware is this?

According to the Microsoft investigation, the “Prestige” encryption software attack has “several notable features” that distinguish it from other ransomware campaigns pursued by Microsoft:

The hackers already had access to targets in March before launching attacks in late September.

What about destinations in the west?

Russian hackers aren’t just targeting Ukraine, Microsoft researcher Warner said in a presentation about another elite Russian hacking group dubbed “Berserk Bear” by security researchers.

According to Karen Nershi, a postdoctoral researcher at Stanford Internet Observatory, the timing of Russian ransomware gang attacks on the US and other Western countries overlaps with the Russian government’s goals.

“There could be a political aspect behind some of these attacks,” she told the Washington Post.

Russian gangs stepped up their attacks as these countries approached important elections, the researcher says. On the other hand, there was no statistically significant increase in non-Russian hacker attacks.

sources

(dsc)