Hackers Attack Russia & Belarus

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organisations located in Russia and Belarus. They are well versed in methods more generally used by cyber criminals for large-scale ransom attacks. 

Since the beginning of Ukraine's defence against Russian invasion forces, there have emerged numerous hacktivist groups whose main goal is not financial gain, but to cause as much damage as possible to companies on the opposing side of the conflict. Head Mare is one such group, likely comprising members of Ukraine's notorious cyber crime community, who have taken up the national struggle using criminal methods.

Researchers say that over the past year, at least 14 state-sponsored hacker groups from around the world have targeted Russia and some former Soviet Union members, Azerbaijan, Belarus, Kyrgyzstan, and Kazakhstan, with destructive or espionage campaigns. Some of these groups were likely linked to Ukraine, which is in an ongoing war with Russia; others acted in the interests of their own countries, including North Korea and China

Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organisations since th failed Russian invasion oof Ukraine and the subsequent two years of of bloody conflict. Targets of the group's attacks include governments, transportation, energy, manufacturing, and environment sectors.

Belarus, a close ally of Russia, was rocked by mass protests after an election in 2020 that gave authoritarian President Alexander Lukashenko his sixth term in office, a vote that was denounced by the West and the opposition as fraudulent. The domestic protest was so severe that the government resorted to shutting down the internet and national mobile telecoms network in an effort to keep control. 

Locked & Encrypted Devices

Unlike other hacktivist groups that likely operate with an aim to disrupt operatioms and cause damage to companies in the two countries, Head Mare goes further, by encrypting victims' devices using well known and powerful ransomware tools including  LockBit for Windows and Babuk for Linux (ESXi), and demanding a ransom for data decryption.

PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.

Both the artefacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).

Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting. 

The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.

The Hacker News     |     Secure List     |     The Record     |     X.com     |     AP News     |     Kyiv Post

Image: Ideogram & Unsplash

You Might Also Read:

Cyberwar: Lessons From Ukraine:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Beware Of Online Rental Scams
Iranian Campaign Targets WhatsApp Users »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Pole SCS (Secure Communicating Solutions)

Pole SCS (Secure Communicating Solutions)

SCS is a world-class competitiveness cluster dedicated to digital technologies in the fields of Microelectronics, Internet Of Things, Digital Security, Artificial Intelligence And Big Data.

Exatel

Exatel

Exatel is Poland’s leading provider of ICT security services.

CYSEC SA

CYSEC SA

Cysec is equipped to deliver agile security solutions for the most challenging IT infrastructures around the world.

eXate

eXate

eXate provides pioneering technology that empowers organisations to protect, control and manage their sensitive data centrally, providing a complete data privacy solution.

Stratum Security

Stratum Security

Stratum Security is an information security consulting company that focuses on providing clear and concise risk guidance to its clients through high quality assessment services.

Cyphra

Cyphra

Cyphra’s team provide cyber security consulting, technical and managed services expertise and experience to support your organisation.

Guidehouse

Guidehouse

Guidehouse is a leading global provider of consulting services to the public and commercial markets with broad capabilities in management, technology, and risk consulting.

Securd

Securd

Securd takes opportunities away from your cyber adversaries. Cloud-delivered zero-trust DNS firewall and web filtering protection keep your business network and remote employees safe.

RKVST

RKVST

RKVST is a powerful tool that builds trust in multi-party processes when it’s critical to have high assurance in data for confident decisions.

Red Access

Red Access

Red Access provides the first SaaS-based platform to protect web browsing from cyber threats on any browser and any in-app while ensuring frictionless user experience.

Commvault

Commvault

Commvault's data protection and information management solutions help companies protect, access and use all of their data, anywhere and anytime.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

Keepit

Keepit

Keepit offer all-inclusive, secure, and reliable backup and recovery services for your data.

Trustack

Trustack

Trustack services cover connectivity, infrastructure services, security, unified comms, agile working and more. Our team of consultants deliver customised solutions tailored to your needs.

Xcede

Xcede

Xcede are global technology recruitment specialists. We connect companies with exceptional professionals who empower growth.

Redapt

Redapt

Redapt is an end-to-end technology solutions provider that brings clarity to a dynamic technical environment.