Hackers Attack Russia & Belarus
A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organisations located in Russia and Belarus. They are well versed in methods more generally used by cyber criminals for large-scale ransom attacks.
Since the beginning of Ukraine's defence against Russian invasion forces, there have emerged numerous hacktivist groups whose main goal is not financial gain, but to cause as much damage as possible to companies on the opposing side of the conflict. Head Mare is one such group, likely comprising members of Ukraine's notorious cyber crime community, who have taken up the national struggle using criminal methods.
Researchers say that over the past year, at least 14 state-sponsored hacker groups from around the world have targeted Russia and some former Soviet Union members, Azerbaijan, Belarus, Kyrgyzstan, and Kazakhstan, with destructive or espionage campaigns. Some of these groups were likely linked to Ukraine, which is in an ongoing war with Russia; others acted in the interests of their own countries, including North Korea and China
Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organisations since th failed Russian invasion oof Ukraine and the subsequent two years of of bloody conflict. Targets of the group's attacks include governments, transportation, energy, manufacturing, and environment sectors.
Belarus, a close ally of Russia, was rocked by mass protests after an election in 2020 that gave authoritarian President Alexander Lukashenko his sixth term in office, a vote that was denounced by the West and the opposition as fraudulent. The domestic protest was so severe that the government resorted to shutting down the internet and national mobile telecoms network in an effort to keep control.
Locked & Encrypted Devices
Unlike other hacktivist groups that likely operate with an aim to disrupt operatioms and cause damage to companies in the two countries, Head Mare goes further, by encrypting victims' devices using well known and powerful ransomware tools including LockBit for Windows and Babuk for Linux (ESXi), and demanding a ransom for data decryption.
PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.
Both the artefacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).
Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting.
The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.
The Hacker News | Secure List | The Record | X.com | AP News | Kyiv Post
You Might Also Read:
Cyberwar: Lessons From Ukraine:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
