All news with #russia nexus tag

🔍 Akamai links the Russia-linked actor APT28 to exploitation of CVE-2026-21513, a high-severity (CVSS 8.8) MSHTML security feature bypass that Microsoft patched in its February 2026 update. The flaw in ieframe.dll mishandles hyperlink navigation and can be weaponized by malicious HTML or LNK files to invoke ShellExecuteExW and run resources outside the browser sandbox. Akamai identified a sample uploaded to VirusTotal on 30 January 2026 tied to infrastructure associated with APT28, while Microsoft and Google intelligence teams reported real-world exploitation.

🔒 The U.S. Treasury Department's Office of Foreign Assets Control designated Matrix LLC (doing business as Operation Zero) and its owner, Sergey Zelenyuk, under the Protecting American Intellectual Property Act, marking the first use of that law. The move coincided with the sentencing of former L3Harris manager Peter Williams, who was given 87 months for stealing eight zero‑day exploits and selling them to Operation Zero for about $1.3 million in cryptocurrency. OFAC also named related companies and individuals, including a UAE front company and a suspected Trickbot affiliate, freezing U.S. assets and warning of potential secondary sanctions for U.S. persons who transact with the designated parties.

🔒 Peter Williams, former head of Trenchant at L3Harris, was sentenced to 87 months in federal prison after admitting he stole and sold zero-day exploit components to the Russian broker Operation Zero. Prosecutors say he transferred at least eight protected exploit components between 2022 and 2025 using a portable external drive and encrypted channels. L3Harris estimates the theft caused $35 million in losses and the sales netted Williams $1.3 million in cryptocurrency. Authorities ordered forfeiture of the crypto, a house, and luxury items, and the U.S. Treasury announced sanctions against the broker.

🔒 A Russia-aligned cybercrime cluster tracked as UAC-0050 (also known as DaVinci Group and labeled Mercenary Akula by BlueVoyant) carried out a spear-phishing operation this month against a European financial institution involved in regional development and reconstruction. The campaign spoofed a Ukrainian judicial domain and lured a senior legal and policy advisor to download an archive hosted on PixelDrain, which unpacked into a password-protected chain culminating in an executable disguised as a PDF. Execution led to installation of an MSI that deployed RMS remote desktop software, providing persistent remote control and file-transfer capabilities, consistent with the group’s prior use of remote-access tools to evade detection and maintain stealthy access.

🤖 Amazon Threat Intelligence says a Russian-speaking actor used commercial generative AI services to compromise hundreds of FortiGate firewalls by exploiting exposed management interfaces and weak, single-factor credentials. Between Jan. 11 and Feb. 18 the group breached over 600 devices across 55+ countries, then accessed Active Directory, extracted credential databases, and targeted backups. Amazon recommends fundamental controls — restrict management access, enforce MFA, patch perimeter devices, improve segmentation, and enhance detection — noting the attacker’s toolkit and operational plans were largely AI-generated and publicly left on infrastructure used in the campaign.

🔎 S2 Grupo's LAB52 attributes a campaign codenamed Operation MacroMaze to the Russia-linked APT28, active from September 2025 through January 2026. The attackers used spear-phishing documents containing an INCLUDEPICTURE field that points to webhook[.]site URLs to confirm document opens and deploy macros that run VBScript and batch files. Payloads render Base64 HTML in Microsoft Edge, using headless or off-screen browsers to retrieve commands and exfiltrate output to webhook endpoints. LAB52 emphasizes the campaign's operational simplicity and reliance on legitimate services to reduce detection.

🔍 Amazon Web Services reported a low-skilled, Russian-speaking actor used commercial GenAI services to run an opportunistic campaign that compromised over 600 FortiGate devices across more than 55 countries between 11 January and 18 February 2026. The attacker scanned internet-exposed management interfaces, attempted commonly reused credentials and relied on AI-assisted scripts to parse stolen configurations and automate VPN access. AWS noted no exploitation of FortiGate vulnerabilities and that AWS infrastructure was not involved. Defenders are urged to prioritize patching, credential hygiene and post-exploitation detection.

⚠️ Google Threat Intelligence Group (GTIG) attributes a previously undocumented actor, likely linked to Russian intelligence, to campaigns using CANFAIL against Ukrainian defense, military, government, and energy organizations. The actor has expanded interest to aerospace, defense-adjacent manufacturing, nuclear and chemical research, and humanitarian groups, often impersonating Ukrainian and Romanian energy firms in phishing. Operators used LLMs to produce reconnaissance and social-engineering lures, embedding Google Drive links to RAR archives that deliver obfuscated JavaScript which spawns PowerShell memory-only droppers. GTIG links this activity to the PhantomCaptcha campaign disclosed by SentinelOne SentinelLABS in October 2025.

🛡️ Google Threat Intelligence Group warns state-backed actors are abusing Gemini across the full attack lifecycle, from reconnaissance and phishing-lure generation to C2 development and data exfiltration. Groups linked to China, Iran, North Korea, and Russia used the model for target profiling, code generation, translation, vulnerability testing, and troubleshooting. Google says it has disabled abusive accounts and implemented targeted classifier defenses to make misuse harder.

🛡️ Italy says it repelled multiple cyberattacks of Russian origin days before the Winter Olympic Games in Milan and Cortina d'Ampezzo. Targets included sites connected to the Games and several hotels in Cortina; facilities of the Foreign Ministry were also affected. Foreign Minister Antonio Tajani thanked security teams and said authorities coordinated defenses with event organizers.

🔎 The Russia-linked threat actor APT28 has been observed exploiting CVE-2026-21509 in targeted Microsoft Office document attacks as part of Operation Neusploit. Zscaler ThreatLabz reported activity beginning on January 29, 2026, using localized lures and server-side geofilters to deliver malicious DLLs only to intended victims in Ukraine, Slovakia, and Romania. The exploit chains employ RTF/Word files that drop two distinct loaders: a C++ email stealer named MiniDoor and a more elaborate PixyNetLoader, which uses steganography and COM hijacking to deploy a Covenant Grunt implant. The campaign demonstrates focused espionage objectives, targeted evasion, and persistent C2 capabilities.

🛡️ Ukraine's CERT warns that Russian state-linked actor APT28 is exploiting the recently patched CVE-2026-21509 in Microsoft Office. Malicious DOC files were observed days after Microsoft's emergency out-of-band update on Jan 26 and deploy a WebDAV download chain, COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image (SplashScreen.png), and a scheduled task named OneDriveHealth. The chain results in the launch of the COVENANT framework, which uses the Filen cloud storage service for command-and-control. Organizations are advised to apply Microsoft's updates for affected Office versions, ensure application restarts where required, and consider blocking or monitoring Filen-related traffic.

🔒 CERT-UA reports that Russian-linked group Fancy Bear leveraged CVE-2026-21509 in Microsoft Office to target Ukrainian and EU organizations. Malicious Word documents downloaded a disguised LNK file over WebDAV, which deployed a DLL and an image containing shellcode. The campaign used COM hijacking and a scheduled task to restart explorer.exe and load a malicious EhStoreShell.dll, ultimately launching the Covenant C2 framework. Microsoft has published updates and service-side mitigations; affected customers should apply patches and the recommended registry changes.

🔐 This Unit 42 analysis outlines the evolving Russian cyber threat to the Milano Cortina 2026 Winter Olympics, framing Russia’s IOC exclusion as a geopolitical grievance that raises the risk of disruptive operations. It reviews historical GRU-linked campaigns against prior Games and projects plausible scenarios ranging from destructive OT malware to AI-driven deepfakes and V2X manipulation. The report recommends zero‑trust visibility, IoT anomaly detection, telemetry verification, and micro‑segmentation to reduce operational impact.

🔎 Dragos attributes a coordinated late-December 2025 cyber attack on multiple Polish power grid sites to the Russian state-sponsored crew ELECTRUM with medium confidence. The campaign targeted communication and control systems at combined heat and power facilities and systems managing distributed energy resources, including wind and solar dispatch. Although no blackouts were reported, attackers gained access to OT networks and disabled some equipment beyond repair. Dragos notes the operation blended IT-to-OT tradecraft, with KAMACITE enabling access and ELECTRUM executing ICS-focused actions.

⚠️ ESET attributes a Dec. 29–30 cyberattack on Poland's electricity grid to Sandworm, a hacking group tied to Russia's GRU. The operation deployed Dynowiper, destructive malware that erases data and left systems at risk of prolonged outage, nearly knocking power out for hundreds of thousands of households. ESET links the incident to a longer campaign of disruptive attacks on Ukrainian energy infrastructure since 2014. Observers say the event highlights growing threats to industrial control systems and the need for stronger defenses and incident response.

🔎 ESET Research attributes a coordinated late‑2025 cyberattack on Poland’s power grid to the Russia‑aligned APT group Sandworm, citing strong overlaps in malware and tactics. The analyzed destructive payload, named DynoWiper, is detected as Win32/KillFiles.NMO (SHA‑1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6). Researchers state medium confidence in the attribution and report they are not aware of any confirmed operational disruption. The incident occurred on the tenth anniversary of Sandworm’s 2015 Ukrainian power outage.

⚠️ The UK's National Cyber Security Centre (NCSC) warns that pro‑Russian hacktivist groups are conducting distributed denial-of-service (DDoS) attacks against British organisations, particularly local government and critical infrastructure operators. These attacks are typically low in technical sophistication but can still deny access, disrupt services and impose substantial recovery costs. The NCSC advises organisations and OT owners to review and harden defences, work with ISPs and CDNs, design scalable services, retain administrative access during incidents, and regularly test mitigations.

🚨 The U.K.'s National Cyber Security Centre (NCSC) warns of sustained disruptive DDoS activity from pro‑Russian hacktivists, notably NoName057(16), which operates the crowdsourced DDoSia platform that mobilises volunteers and offers rewards. Despite arrests and server takedowns during Operation Eastwood, the group has re-emerged and continues to target critical infrastructure, local government and OT systems. The NCSC advises strengthening upstream ISP/CDN protections, designing for rapid scaling, rehearsing response plans for graceful degradation, and continuous testing to reduce downtime and recovery costs.

⚠️ The UK National Cyber Security Centre (NCSC) has issued an alert about ongoing disruptive cyber activity by Russian-aligned hacktivist groups targeting UK organisations, with local government and critical national infrastructure singled out. The campaigns mainly use denial-of-service (DoS/DDoS) attacks to overwhelm websites and online systems, taking services offline. The advisory highlights groups such as NoName05716, their coordination via Telegram and the hosting of tooling on GitHub, and urges organisations to review DoS protections, strengthen resilience and engage with NCSC threat collection.