Cybersecurity experts from F.A.C.C.T. Threat Intelligence note that since the beginning of autumn, there has been an increase in cyberattacks on Russian organizations associated with the defense industry and military personnel. Military units, defense industry enterprises and foundations supporting participants in the SMO are under attack.
It is noted that the most active groups were Core Werewolf, Unicorn, Sticky Werewolf, Cloud Atlas. The most popular techniques and procedures were:
- Core Werewolf used a chain of VBS scripts to install the legitimate remote access program UltraVNC and, presumably, added a new SSH backdoor to its arsenal. The disguise was an official letter on behalf of the Deputy Minister of Defense of the Russian Federation and a letter from the FSTEC of Russia;
- Unicorn used variants of the self-written malicious software Unicorn. It was introduced to victims under the guise of a commercial offer to purchase equipment for the SMO at a discount and an offer to transfer equipment free of charge to a foundation for the needs of military personnel of the SMO;
- Sticky Werewolf worked with the MimiStick program, targeting defense industry enterprises and research enterprises through mailings. As a final payload, hackers sometimes installed the Darktrack RAT trojan.
According to cybersecurity experts, Cloud Atlas also continues to use malicious documents, the content of which shows targeting of the military sphere.
F.A.C.C.T. notes that companies in the defense industry need to comply with standard rules: train employees in the basics of cyber hygiene, promptly purchase and update security solutions for their enterprise infrastructure, and improve the skills of their specialists.
Read materials on the topic:
Protected and armed: The Ministry of Defense of Russia is testing a new website
Fraudsters began offering Russians investments in the Russian military-industrial complex
The Russian economy may lose up to a trillion rubles by the end of the year due to cyberattacks