CyberSecurity news

FlagThis - #russia

@www.helpnetsecurity.com //

Russian Cyber Group Laundry Bear Targets Dutch Police - A Russian cyber-espionage group, Laundry Bear (Void Blizzard), has been targeting Western organizations, especially those supporting Ukraine, since April 2024, focusing on stealing emails and data via cloud-based Microsoft Exchange using techniques like pass-the-cookie attacks and password spraying.
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
  • The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
  • The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents
@industrialcyber.co //

Russian GRU Hackers Target Western Firms Aiding Ukraine - Russian military hackers (GRU) are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments, employing tactics like credential guessing, brute-force attacks, and spearphishing.
A joint cybersecurity advisory has been issued by intelligence and cybersecurity agencies from multiple Western nations, including the United States, the United Kingdom, Germany, and France, warning of an aggressive cyber espionage campaign orchestrated by a Russian military cyber unit. The advisory directly implicates the Russian General Staff Main Intelligence Directorate (GRU) unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. This group has been actively targeting logistics and technology companies that are involved in providing aid to Ukraine. Their operations, ongoing for over two years, involve infiltrating networks to spy on arms shipments and logistics operations.

The GRU hackers are targeting a range of entities critical to the supply chain supporting Ukraine, including defense contractors, transport hubs like airports and ports, air traffic control systems, maritime operators, and IT service providers. Affected countries include the United States, Germany, Poland, France, Romania, Ukraine, the Netherlands, and others. The attackers not only infiltrate the main target company but also go after partners and connected firms, abusing trust relationships to spread deeper. In one instance, hackers stole credentials, gaining access to sensitive information on shipments, such as train schedules and shipping manifests.

The Russian hackers are employing a mix of both established and novel tactics to breach security. These tactics include credential guessing, brute-force attacks, and spearphishing emails disguised as legitimate login pages from Western email platforms. The GRU unit is also known for exploiting IP cameras in Ukraine and bordering NATO countries, likely to gather intelligence and monitor activities. Cybersecurity agencies urge logistics entities and technology companies to enhance monitoring, proactively hunt for known tactics and indicators of compromise, and fortify their network defenses, presuming they are targets.

Recommended read:
References :
  • www.esecurityplanet.com: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
@industrialcyber.co //

Russian GRU Targets Western Logistics Companies - A Russian state-sponsored cyber espionage campaign targets Western logistics entities and tech companies involved in coordinating aid to Ukraine, aiming to access sensitive information and disrupt operations.
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.

These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.

To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.

Recommended read:
References :
  • Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
  • NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
  • CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
  • securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
  • www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
  • cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
  • Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Blog: Russian APT28 targets Western firms supporting Ukraine
  • SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
  • Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
  • Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
  • eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
  • cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.microsoft.com: New Russia-affiliated actor Void Blizzard targets critical sectors for espionage
Dhara Shrivastava@cysecurity.news //

Marks (and) Spencer Cyberattack Impact - Marks & Spencer (M&S) warns of a £300 million profit reduction due to an April cyberattack disrupting online transactions through July, impacting food, fashion, and home goods.
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.

The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation.

M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item.

Recommended read:
References :
  • The Register - Security: Marks & Spencer warns of a £300M dent in profits from cyberattack
  • The DefendOps Diaries: Marks & Spencer Faces Major Financial Impact from Cyberattack
  • BleepingComputer: Marks & Spencer faces $402 million profit hit after cyberattack
  • ComputerWeekly.com: M&S cyber attack disruption likely to last until July
  • BleepingComputer: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to £300 million £300 million ($402 million) following a recent cyberattack that led to widespread operational and sales disruptions.
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • The Hacker News: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • techxplore.com: Cyberattack costs UK retailer Marks & Spencer £300 mn
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • www.bleepingcomputer.com: Marks & Spencer faces $402 million profit hit after cyberattack
  • socprime.com: A joint advisory from cybersecurity and intelligence agencies across North America, Europe, and Australia confirms a two-year-long cyberespionage campaign by russian GRU Unit 26165 (APT28, Forest Blizzard, Fancy Bear).
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
  • cyberinsider.com: Marks & Spencer Cyberattack Fallout Continues as Retailer Projects $400M Loss

Posts

Blogs

Research Tools