Hackers Attack Russia & Belarus

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organisations located in Russia and Belarus. They are well versed in methods more generally used by cyber criminals for large-scale ransom attacks. 

Since the beginning of Ukraine's defence against Russian invasion forces, there have emerged numerous hacktivist groups whose main goal is not financial gain, but to cause as much damage as possible to companies on the opposing side of the conflict. Head Mare is one such group, likely comprising members of Ukraine's notorious cyber crime community, who have taken up the national struggle using criminal methods.

Researchers say that over the past year, at least 14 state-sponsored hacker groups from around the world have targeted Russia and some former Soviet Union members, Azerbaijan, Belarus, Kyrgyzstan, and Kazakhstan, with destructive or espionage campaigns. Some of these groups were likely linked to Ukraine, which is in an ongoing war with Russia; others acted in the interests of their own countries, including North Korea and China

Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organisations since th failed Russian invasion oof Ukraine and the subsequent two years of of bloody conflict. Targets of the group's attacks include governments, transportation, energy, manufacturing, and environment sectors.

Belarus, a close ally of Russia, was rocked by mass protests after an election in 2020 that gave authoritarian President Alexander Lukashenko his sixth term in office, a vote that was denounced by the West and the opposition as fraudulent. The domestic protest was so severe that the government resorted to shutting down the internet and national mobile telecoms network in an effort to keep control. 

Locked & Encrypted Devices

Unlike other hacktivist groups that likely operate with an aim to disrupt operatioms and cause damage to companies in the two countries, Head Mare goes further, by encrypting victims' devices using well known and powerful ransomware tools including  LockBit for Windows and Babuk for Linux (ESXi), and demanding a ransom for data decryption.

PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.

Both the artefacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).

Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting. 

The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.

The Hacker News     |     Secure List     |     The Record     |     X.com     |     AP News     |     Kyiv Post

Image: Ideogram & Unsplash

You Might Also Read:

Cyberwar: Lessons From Ukraine:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Beware Of Online Rental Scams
Iranian Campaign Targets WhatsApp Users »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Yokogawa Electric

Yokogawa Electric

Yokogawa is an electrical engineering company providing measurement, control, and information technologies including industrial cyber security.

Radar Cyber Security

Radar Cyber Security

Radar Cyber Security is the only European supplier of Managed Detection & Response who provides its services based on inhouse developed technology.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

Ensign InfoSecurity

Ensign InfoSecurity

Ensign InfoSecurity is Southeast Asia’s largest pure-play cybersecurity firm.

Braintrace

Braintrace

Braintrace’s services include Managed Detection and Response (MDR), Managed SIEM, SIEM-as-a-Service, SOC-as-a-Service, Advisory Services, and Incident Response.

Peraton

Peraton

Peraton provides innovative solutions for the most sensitive and critical programs in government today, developed and executed by scientists, engineers, and other experts.

CyberCyte

CyberCyte

CyberCyte provides a disruptive built-in integrated physical, network and perimeter security solution framework.

Secura B.V.

Secura B.V.

Secura is an independent specialized cybersecurity expert, providing insights to protect valuable assets and data.

AgileBlue (Agile1)

AgileBlue (Agile1)

AgileBlue (formerly Agile1) is a managed breach detection company with an Autonomous SOC-as-a-Service for 24×7 monitoring, detection and guided response.

Grip Security

Grip Security

Grip Security provides comprehensive visibility, governance and data security to help enterprises effortlessly secure a burgeoning and chaotic SaaS ecosystem.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

McAfee

McAfee

McAfee is a worldwide leader in online protection. We’re focused on protecting people, not devices. Our solutions adapt to our customers’ needs and empower them to confidently experience life online.

Arcserve

Arcserve

Defend your data with Arcserve all-in-one data protection and management solutions designed to be the right fit for your business, regardless of size or complexity.

Prescott

Prescott

Prescott acts as your guiding light in the preparation for your CMMC assessment and long after by governing your cybersecurity practice.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.