At a glance.
- Pro-Ukrainian actors hit Russian and Belarusian websites with DDoS attacks.
- UNC3524 targets M&A transactions.
- Winnti targets technology and manufacturing companies.
Pro-Ukrainian actors hit Russian and Belarusian websites with DDoS attacks.
CrowdStrike says pro-Ukrainian actors used compromised Docker Engine honeypots to launch DDoS attacks against Russian and Belarusian websites. The actors hacked the honeypots through an exposed Docker Engine API:
"Between February 27 and March 1, 2022, Docker Engine honeypots were observed to have been compromised in order to execute two different Docker images targeting Russian and Belarusian websites in a denial-of-service (DoS) attack. Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). The UIA previously called its members to perform distributed denial-of-service (DDoS) attacks against Russian targets. There may be risk of retaliatory activity by threat actors supporting the Russian Federation, against organizations being leveraged to unwittingly conduct disruptive attacks against government, military and civilian websites."
UNC3524 targets M&A transactions.
Mandiant has discovered a threat actor, UNC3524, that's conducting cyberespionage, targeting "the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions." Mandiant notes that UNC3524 relies on techniques used by the Russian state-sponsored actors APT28 and APT29, but they don't definitively attribute the threat actor to any known group:
"On the surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in M-Trends 2022, suggests an espionage mandate. Part of the group’s success at achieving such a long dwell time can be credited to their choice to install backdoors on appliances within victim environments that do not support security tools, such as anti-virus or endpoint protection. The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the “advanced” in Advanced Persistent Threat. UNC3524 also takes persistence seriously. Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign."
Winnti targets technology and manufacturing companies.
Researchers at Cybereason are tracking a cyberespionage campaign against technology and manufacturing companies around the world. The researchers attribute the activity with "a moderate-to-high degree of confidence" to the Chinese state-sponsored threat actor Winnti (also known as APT41 or BARIUM):
"In 2021, the Cybereason Nocturnus Incident Response Team was engaged to investigate multiple intrusions targeting technology and manufacturing companies in North America, Europe, and Asia. They found an elusive and sophisticated cyber espionage campaign operating undetected since at least 2019.
"With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information. The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.
"In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data."