Blogs by Ashwin

  Introduction TAG-53 is a Russian threat actor, that runs phishing campaigns posing as various defense, aerospace, and logistic companies. The infrastructure used by this threat actor also overlaps with tactics, techniques, and procedures of Callisto Group, COLDRIVER, and SEABORGIUM. It repeatedly used many traits, like the specific domain registrars, the Let's Encrypt TLS certificates, a small cluster of autonomous systems, and a specific stylistic structure.  Characteristics TAG-53 originated from Russia and has objectives and victimology aligning with the interests of Russia. It mainly targeted NATO countries like the USA and UK along with Ukraine after Russia's invasion in 2022. It has conducted phishing campaigns via Gmail accounts and attacked many non-governmental organizations, think tanks, journalists, as well as government and defense officials. Now, after evolving with time, is has also started incorporating PDF or DOC file links hosted on Google Drive and Microsoft

  Introduction The WannaCry Ransomware attacked worldwide in May, 2017. It used the WannaCry ransomware cryptoworm, and targeted the computers running on the Microsoft Windows Operating System. It encrypted the data and demanded ransom payments in the Bitcoin cryptocurrency. It exploited EternalBlue. developed by the United States National Security Agency, which was stolen and leaked by The Shadow Brokers one month before the attack occurred.  Countries like the U.S.A. and U.K. formally confirmed that the attack was originated from North Korea. However, North Korea denied any involvement in the attack. It is estimated that the attack affected more than 300,000 computers of about 150 countries.  Characteristics The WannaCry Ransomware cryptoworm is also known as WannaCrypt, Wanna Decrypt0r 2.0, and Wanna Decryptor. It is a network worm laced with a transport mechanism to automatically spread itself. The transport code scans the vulnerable systems and gain access using the EternalBlue ex

  Introduction Hades Ransomware has been active since December, 2020. However, there is limited public knowledge about behind the scene threat group. Some attributes Hades to the HAFNIUM threat group, while the other relates it to the financially motivated GOLD DRAKE threat group because it has some similarities to the group's WastedLocker ransomware. the financially motivated threat group, GOLD WINTER, operates the Hades ransomware. Ransomware groups are typically opportunistic, targeting the organizations susceptible to extortion and pay the ransom. However, GOLD WINTER had attacked many North American manufacturing organizations, showcasing its interest as a "big game hunter", looking for high-value targets. Characteristics There are only a small number of organizations that were reportedly attacked by Hades group. However, there might be more victims that are publicly identified. They have mostly focused on a few industries like logistics providers, manufacturing indu

  Introduction ELECTRUM has been associated with the SANDSTORM Advanced Persistent Threat. It was responsible for the power outage in, Kiev, Ukraine, in December 2016. They blacked out some part of the city's electricity for about an hour. This was done via ICS malware CRASHOVERRIDE. They have been active since 2009 and mostly targets Ukraine.  Characteristics ELECTRUM has entered into both developmental and operational role after the power outage incident. It does not depend on exploits or zero-day vulnerabilities. However, it leverages common exploitation behaviors and methodology. It also uses Microsoft SQL database servers as gateways to bridge both the industrial and business control networks. In this way, they can successfully compromise industrial control systems where they can use stolen credentials to execute code.  ELECTRUM is still active but evidence shows that it is not targeting Ukraine exclusively. It is considered as one of the most competitive and sophisticated thr

  Introduction Recently, Microsoft has unveiled a Gaza-based threat actor, primarily targeting the private-sector organizations of Israel. There main focus is on energy, defense, and telecommunications companies. This group works in the interests of Hamas, a Sunni militant organization, and attacks the organizations deemed hostile towards Hamas. They have also targeted Fatah, a Palestinian political party, located in the West Bank. Characteristics The attack strategy of Storm-1133 includes social engineering and the creation of fake profiles on LinkedIn. These fake profiles pose as the human resource managers, project coordinators, and software developers from Israel. They initiate communication with Israeli employees of various organizations by sending phishing messages, conducting reconnaissance, and then deliver malware. They also try to intrude third-party organizations with the help of links known to the employees of Israel. Through this intrusion, they try to create the backdoors

  Introduction Callisto or Calisto is Russian cyber espionage group targeting multiple entities supporting Ukraine in the war. They attacks many government and private companies of the company including the US and Europe. This APT (Advanced Persistent Threat) is active since 2017, and nicknamed as Blue Callisto, Coldriver, Seaborgium, and Callisto Group.  It has increased its attacks against Ukraine after the Russian invasion of the country. It has targeted at least ten entities supporting Ukraine, including six private companies of the U.S.A. and Eastern Europe and four NGOs. Mostly, these private companies were related to military equipment, military logistics or humanitarian support for Ukraine. When & How? The Callisto group has been active since many years and have targeted many victims. Hence, knowing about their pattern of attacks, helps a lot in understanding them. So, when and how they have attacked is as follows: This APT is mainly interested in gathering intelligence rel

  Introduction Axiom is a highly sophisticated suspected Chinese cyber espionage group. It has targeted aerospace, defense, and the other government as well as media and manufacturing industries since 2008. It seems identical to the Winnti group and distinct according to their TTPs and targeting. It had attacked countries like North America, Europe, and East and Southeast Asia.  Characteristics Some of the main characteristics of the Axiom hacker group are as follows: They use sphere phishing to attack, along with Adobe Ghost, Poison Ivy, and Torn RAT malwares.  This group has been active at least since 2008 and is estimated to have been backed by the Chinese government. It uses many malwares identical to the ones used in Chinese government operations, indicating some form of collaboration.  It has the ability to leverage publicly available tools. It initially starts by tricking the victims via phishing emails before deploying the malwares like Ghost RAT trojan to maintain its persiste

  Introduction Anchor Panda, also known as APT14, is a China-based hacker group, that mainly targets civil and military maritime operations in the green/brown water regions. It mainly targets the area of operations of the South Sea Fleet of the PLA Navy. The western companies of the countries like the US, Germany, Sweden, the UK, Australia, etc., have also became victims of its frequent attacks. Anchor Panda also targets embassies and diplomatic missions, foreign intelligence services, and foreign governments' space programs.  Characteristics Some of the main characteristics of the Anchor Panda hacker group are as follows: The name "Anchor Panda" corresponds to its origins. "Anchor" is a general maritime term and the word "Panda" is often used to denote China. They use sphere phishing to attack, along with Adobe Ghost, Poison Ivy, and Torn RAT malwares.  This group has been active since 2013 and is estimated to have been backed by the Chinese governmen

  Introduction APT is an abbreviation of Advanced Persistent Threat. APT29 is recognized as a Russian hacker group by the U.S. federal government. It is said to be associated with one or more Russian Intelligence Agencies. The other cybersecurity firms have given it various nicknames like Cozy Bear, CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.  This threat actor came into prominence in 2014. It is believed that it organized a series of precise cyber attacks on the national data of the U.S. government on December 20, 2020. This hacking was done under the direction of Russia. Its general characteristics are: It targets high profile victims and sensitive data. It has advanced crypto and anti-detection capabilities. Contains structural and functional similarities to early MiniDuke, CosmicDuke, and OnionDuke.  Attack Method Since it targets highly confidential data and political information, it attacks in following ways: It can ma