< ciso
brief />
Tag Banner

All news with #russia nexus tag

113 articles · page 4 of 6

Russian ELECTRUM Linked to December 2025 Polish Grid Attack

🔎 Dragos attributes a coordinated late-December 2025 cyber attack on multiple Polish power grid sites to the Russian state-sponsored crew ELECTRUM with medium confidence. The campaign targeted communication and control systems at combined heat and power facilities and systems managing distributed energy resources, including wind and solar dispatch. Although no blackouts were reported, attackers gained access to OT networks and disabled some equipment beyond repair. Dragos notes the operation blended IT-to-OT tradecraft, with KAMACITE enabling access and ELECTRUM executing ICS-focused actions.
read more →

Russian Sandworm Group Accused Over Poland Power Attack

⚠️ ESET attributes a Dec. 29–30 cyberattack on Poland's electricity grid to Sandworm, a hacking group tied to Russia's GRU. The operation deployed Dynowiper, destructive malware that erases data and left systems at risk of prolonged outage, nearly knocking power out for hundreds of thousands of households. ESET links the incident to a longer campaign of disruptive attacks on Ukrainian energy infrastructure since 2014. Observers say the event highlights growing threats to industrial control systems and the need for stronger defenses and incident response.
read more →

ESET: Sandworm Linked to Late-2025 Polish Grid Attack

🔎 ESET Research attributes a coordinated late‑2025 cyberattack on Poland’s power grid to the Russia‑aligned APT group Sandworm, citing strong overlaps in malware and tactics. The analyzed destructive payload, named DynoWiper, is detected as Win32/KillFiles.NMO (SHA‑1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6). Researchers state medium confidence in the attribution and report they are not aware of any confirmed operational disruption. The incident occurred on the tenth anniversary of Sandworm’s 2015 Ukrainian power outage.
read more →

NCSC Warns of Pro-Russian DDoS Targeting UK Services

⚠️ The UK's National Cyber Security Centre (NCSC) warns that pro‑Russian hacktivist groups are conducting distributed denial-of-service (DDoS) attacks against British organisations, particularly local government and critical infrastructure operators. These attacks are typically low in technical sophistication but can still deny access, disrupt services and impose substantial recovery costs. The NCSC advises organisations and OT owners to review and harden defences, work with ISPs and CDNs, design scalable services, retain administrative access during incidents, and regularly test mitigations.
read more →

UK: Ongoing Russian Hacktivist DDoS Attacks Target Services

🚨 The U.K.'s National Cyber Security Centre (NCSC) warns of sustained disruptive DDoS activity from pro‑Russian hacktivists, notably NoName057(16), which operates the crowdsourced DDoSia platform that mobilises volunteers and offers rewards. Despite arrests and server takedowns during Operation Eastwood, the group has re-emerged and continues to target critical infrastructure, local government and OT systems. The NCSC advises strengthening upstream ISP/CDN protections, designing for rapid scaling, rehearsing response plans for graceful degradation, and continuous testing to reduce downtime and recovery costs.
read more →

NCSC Warns of Ongoing Russian-Aligned DDoS Pressure

⚠️ The UK National Cyber Security Centre (NCSC) has issued an alert about ongoing disruptive cyber activity by Russian-aligned hacktivist groups targeting UK organisations, with local government and critical national infrastructure singled out. The campaigns mainly use denial-of-service (DoS/DDoS) attacks to overwhelm websites and online systems, taking services offline. The advisory highlights groups such as NoName05716, their coordination via Telegram and the hosting of tooling on GitHub, and urges organisations to review DoS protections, strengthen resilience and engage with NCSC threat collection.
read more →

APT28 Credential Harvesting Hits Energy, Think Tanks

🔒 Recorded Future links GRU-affiliated APT28 (aka BlueDelta) to targeted credential-harvesting campaigns in 2025 that hit staff at a Turkish energy and nuclear research agency, a European think tank, and entities in North Macedonia and Uzbekistan. The group used regionally tailored Turkish-language lures and legitimate PDF decoys, deployed spoofed OWA, Google and Sophos VPN pages hosted on services such as Webhook.site, InfinityFree, Byet and ngrok, exfiltrating credentials before redirecting victims to real sites to avoid detection.
read more →

Russia-Aligned Hackers Abuse Viber to Deploy Malware

📲 Russian-aligned threat actor UAC-0184 used the Viber messaging app to deliver malicious ZIP archives to Ukrainian military and government recipients, according to 360 Threat Intelligence Center. The archives contained LNK decoys that silently executed Hijack Loader, which retrieves a second ZIP (smoothieks.zip) via PowerShell and reconstructs the loader in memory. The loader uses DLL side-loading, module stomping, CRC32 checks for installed security products, and scheduled tasks for persistence before injecting Remcos RAT into chime.exe to enable remote control and data theft.
read more →

Denmark Attributes Two Destructive Cyberattacks to Russia

🔒 The Danish Defence Intelligence Service (DDIS) publicly attributed two separate cyber operations to Russian-linked actors. It said a pro-Russian group known as Z-Pentest carried out a destructive intrusion against a Danish water utility in 2024, while NoName057(16), an actor with ties to the Russian state, mounted disruptive DDoS attacks against Danish websites ahead of municipal and regional elections in November. Danish authorities characterized the incidents as part of a broader pattern of state-aligned cyber coercion and disruption.
read more →

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing

🔒 Proofpoint links a September 2025 phishing campaign to a suspected Russia-aligned cluster called UNK_AcademicFlare that exploits device code authentication to seize Microsoft 365 accounts. The group leverages compromised government and military email addresses to build rapport and send Cloudflare Worker links that mimic OneDrive, asking victims to copy and enter a short code. When users input the code on Microsoft's device code page, the service issues an access token that attackers can capture to take over accounts.
read more →

Denmark Blames Russia for 2024–25 Cyber Attacks, DDoS

🛡️ The Danish Defence Intelligence Service (DDIS) said on December 18, 2025 that Russian-aligned actors were responsible for recent destructive and disruptive cyber activity against Denmark. The agency named pro‑Russian hacktivist groups Z‑Pentest for a destructive 2024 intrusion at a water utility and NoName057(16) for DDoS campaigns targeting websites ahead of the 2025 municipal and regional elections. DDIS assessed both groups have links to the Russian state and are being used as instruments of a hybrid campaign to create insecurity and penalise countries supporting Ukraine. The statement followed a global advisory, co-signed by 23 law enforcement and intelligence bodies, which catalogued related TTPs.
read more →

Denmark Blames Russia for Destructive Water Utility Attack

🔒 Danish intelligence (DDIS) attributed a destructive cyberattack on a water utility to Russian-linked actors, identifying Z-Pentest as responsible for the sabotage and NoName057(16) for election-period DDoS operations. The agency said these actions are part of Moscow's broader hybrid campaign to punish countries supporting Ukraine. Officials will summon the Russian ambassador and warned the attacks undermine public security.
read more →

German Greens Warn of Russian Election Cyber Influence

🛡️The Greens say recent findings of Russian influence operations during the federal election confirm that existing protections for parliamentary democracy are inadequate. Although Germany implemented the NIS-2 law on December 6, 2024, it covers the federal administration and Bundestag administration but not the Bundestag as an institution or MPs' constituency offices. The federal government attributes an August 2024 cyberattack on air traffic control to the GRU-linked group Fancy Bear and says the campaign "Storm 1516" targeted the election with disinformation; the Russian ambassador was summoned.
read more →

Russian APT Targets Energy and Critical Infrastructure

🔎 Amazon Threat Intelligence reports a Russian state-sponsored cyber espionage team has increasingly targeted energy providers and other critical infrastructure, operating since at least 2021. The actors have shifted toward exploiting device misconfigurations while continuing to leverage known vulnerabilities such as CVE-2022-26318, CVE-2021-26084, CVE-2023-22518 and CVE-2023-2753. Observed tradecraft includes compromise of network-edge devices hosted on AWS EC2, passive credential capture and credential-replay attacks to move laterally across victim environments. Amazon provides indicators of compromise and specific mitigation guidance, including configuration audits, isolation of management interfaces and deployment of multi-factor authentication.
read more →

Amazon: Russian GRU Group Targets Western Infrastructure

🔐 Amazon Threat Intelligence details a multi-year, state-sponsored Russian campaign—assessed as GRU-linked—that targeted Western critical infrastructure, especially the energy sector, from 2021 through 2025. The actor shifted from exploiting N-day/zero-day flaws to abusing misconfigured customer network edge devices (including EC2-hosted appliances) to intercept credentials and gain persistent access. Amazon observed packet-capture based credential harvesting and subsequent credential replay attempts, with infrastructure overlaps linked to clusters tracked as Curly COMrades and Sandworm. Recommended mitigations include auditing edge devices, enforcing strong authentication, monitoring for credential replay, and applying AWS-specific controls.
read more →

VolkLocker Ransomware Exposed: Hard-Coded Master Key

🔓 VolkLocker, a new RaaS from the pro‑Russian group CyberVolk (GLORIAMIST), contains a critical implementation flaw that lets victims recover files without paying. Test samples embed a master key and write it in plaintext to the %TEMP% folder (system_backup.key), while using that same key for AES‑256‑GCM encryption. The Golang-built strain targets Windows and Linux, modifies the registry, deletes shadow copies, and uses Telegram automation for command-and-control and victim management.
read more →

Pro-Russia Hacktivists Target Critical Infrastructure

⚠️ This joint advisory from CISA, FBI, NSA, and international partners details opportunistic intrusions by pro‑Russia hacktivist groups—CARR, NoName057(16), Z‑Pentest, and Sector16—against OT/ICS environments. Actors are exploiting internet‑exposed VNC services, using open‑source scanning and brute‑force tools to access HMI devices with default or weak credentials, causing loss of view, configuration changes, and operational downtime. The advisory urges organizations to reduce public exposure, apply network segmentation, enforce strong authentication (MFA where feasible), harden device credentials, and follow secure‑by‑design guidance for OT products.
read more →

Star Blizzard Targets Reporters Without Borders in Phishing

📧 Sekoia.io researchers have identified a fresh wave of spear-phishing linked to the Russia-nexus intrusion set Star Blizzard (aka Calisto/ColdRiver) that targeted NGOs including Reporters Without Borders in May–June 2025. Operators impersonated trusted contacts via ProtonMail, using a custom Adversary-in-the-Middle kit to harvest credentials and relay 2FA prompts through compromised sites and redirectors. Observed tactics included a ZIP disguised as a .pdf, decoy encrypted PDFs instructing victims to open files in ProtonDrive, injected JavaScript to lock password-field focus, and an API-driven workflow for handling CAPTCHA and 2FA challenges, underscoring continued risk to Western organizations supporting Ukraine.
read more →

RomCom Uses SocGholish to Deliver Mythic Agent to US Firms

🔒 Arctic Wolf Labs observed a targeted September 2025 campaign in which the Russia-aligned RomCom group used fake browser-update prompts to deliver the Mythic Agent implant via a classic SocGholish chain. Researchers say this is the first observed instance of RomCom pairing SocGholish initial access with a Mythic C2-based loader. The intrusion was stopped before impact, and Arctic Wolf published IOCs and mitigation guidance.
read more →

RomCom via SocGholish Fake Update Targets US Civil Firm

🔒 Arctic Wolf Labs reports that a RomCom payload was delivered via a JavaScript loader known as SocGholish to a U.S.-based civil engineering company, marking the first observed use of this distribution method. The chain relied on fake browser update prompts to run a loader that established a reverse shell, dropped a custom Python backdoor called VIPERTUNNEL, and installed a RomCom DLL loader that launched the Mythic Agent. Attribution to GRU Unit 29155 is assessed at medium-to-high confidence, and the intrusion was blocked before it could progress further.
read more →