Blogs by Ashwin

  Introduction The WannaCry Ransomware attacked worldwide in May, 2017. It used the WannaCry ransomware cryptoworm, and targeted the computers running on the Microsoft Windows Operating System. It encrypted the data and demanded ransom payments in the Bitcoin cryptocurrency. It exploited EternalBlue. developed by the United States National Security Agency, which was stolen and leaked by The Shadow Brokers one month before the attack occurred.  Countries like the U.S.A. and U.K. formally confirmed that the attack was originated from North Korea. However, North Korea denied any involvement in the attack. It is estimated that the attack affected more than 300,000 computers of about 150 countries.  Characteristics The WannaCry Ransomware cryptoworm is also known as WannaCrypt, Wanna Decrypt0r 2.0, and Wanna Decryptor. It is a network worm laced with a transport mechanism to automatically spread itself. The transport code scans the vulnerable systems and gain access using the EternalBlue ex

  Introduction Hades Ransomware has been active since December, 2020. However, there is limited public knowledge about behind the scene threat group. Some attributes Hades to the HAFNIUM threat group, while the other relates it to the financially motivated GOLD DRAKE threat group because it has some similarities to the group's WastedLocker ransomware. the financially motivated threat group, GOLD WINTER, operates the Hades ransomware. Ransomware groups are typically opportunistic, targeting the organizations susceptible to extortion and pay the ransom. However, GOLD WINTER had attacked many North American manufacturing organizations, showcasing its interest as a "big game hunter", looking for high-value targets. Characteristics There are only a small number of organizations that were reportedly attacked by Hades group. However, there might be more victims that are publicly identified. They have mostly focused on a few industries like logistics providers, manufacturing indu

  Introduction ELECTRUM has been associated with the SANDSTORM Advanced Persistent Threat. It was responsible for the power outage in, Kiev, Ukraine, in December 2016. They blacked out some part of the city's electricity for about an hour. This was done via ICS malware CRASHOVERRIDE. They have been active since 2009 and mostly targets Ukraine.  Characteristics ELECTRUM has entered into both developmental and operational role after the power outage incident. It does not depend on exploits or zero-day vulnerabilities. However, it leverages common exploitation behaviors and methodology. It also uses Microsoft SQL database servers as gateways to bridge both the industrial and business control networks. In this way, they can successfully compromise industrial control systems where they can use stolen credentials to execute code.  ELECTRUM is still active but evidence shows that it is not targeting Ukraine exclusively. It is considered as one of the most competitive and sophisticated thr

  Introduction Recently, Microsoft has unveiled a Gaza-based threat actor, primarily targeting the private-sector organizations of Israel. There main focus is on energy, defense, and telecommunications companies. This group works in the interests of Hamas, a Sunni militant organization, and attacks the organizations deemed hostile towards Hamas. They have also targeted Fatah, a Palestinian political party, located in the West Bank. Characteristics The attack strategy of Storm-1133 includes social engineering and the creation of fake profiles on LinkedIn. These fake profiles pose as the human resource managers, project coordinators, and software developers from Israel. They initiate communication with Israeli employees of various organizations by sending phishing messages, conducting reconnaissance, and then deliver malware. They also try to intrude third-party organizations with the help of links known to the employees of Israel. Through this intrusion, they try to create the backdoors

  Introduction Callisto or Calisto is Russian cyber espionage group targeting multiple entities supporting Ukraine in the war. They attacks many government and private companies of the company including the US and Europe. This APT (Advanced Persistent Threat) is active since 2017, and nicknamed as Blue Callisto, Coldriver, Seaborgium, and Callisto Group.  It has increased its attacks against Ukraine after the Russian invasion of the country. It has targeted at least ten entities supporting Ukraine, including six private companies of the U.S.A. and Eastern Europe and four NGOs. Mostly, these private companies were related to military equipment, military logistics or humanitarian support for Ukraine. When & How? The Callisto group has been active since many years and have targeted many victims. Hence, knowing about their pattern of attacks, helps a lot in understanding them. So, when and how they have attacked is as follows: This APT is mainly interested in gathering intelligence rel

  Introduction Axiom is a highly sophisticated suspected Chinese cyber espionage group. It has targeted aerospace, defense, and the other government as well as media and manufacturing industries since 2008. It seems identical to the Winnti group and distinct according to their TTPs and targeting. It had attacked countries like North America, Europe, and East and Southeast Asia.  Characteristics Some of the main characteristics of the Axiom hacker group are as follows: They use sphere phishing to attack, along with Adobe Ghost, Poison Ivy, and Torn RAT malwares.  This group has been active at least since 2008 and is estimated to have been backed by the Chinese government. It uses many malwares identical to the ones used in Chinese government operations, indicating some form of collaboration.  It has the ability to leverage publicly available tools. It initially starts by tricking the victims via phishing emails before deploying the malwares like Ghost RAT trojan to maintain its persiste