Russian Military Threat Group Linked to Ransomware Attacks in Ukraine

A malicious campaign against logistics and transportation organizations in Ukraine and Poland using Prestige ransomware has recently been attributed to a team of expert Russian military hackers.

The perpetrators focused on the victims’ enterprise networks, targeting them with ransomware payloads, a tactic that hasn’t been frequently used against Ukrainian organizations. Furthermore, the attacks seem to follow a pattern similar to previous Russia-backed hacking activities.

“As of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack,” Microsoft’s security advisory reads. “IRIDIUM is a Russia-based threat actor tracked by Microsoft, publicly overlapping with Sandworm, that has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war.”

Based on various metrics such as victimology, tradecraft, forensic artifacts, capabilities and infrastructure, Microsoft’s Security Threat Intelligence (MSTIC) researchers believe the campaign may have been launched by Sandworm, a Russian state-backed hacker group.

Previous reports have shown that, even though the campaign used similar techniques, it distinguishes itself from other recent destructive attacks such as HermeticWiper and AprilAxe (CaddyWiper).

Sandworm, also known as Voodoo Bear, BlackEnergy and TeleBots, is an Advanced Persistent Threat (APT) group allegedly operating out of Unit 74455 of Russia’s military GRU.

The US indicted in October 2020 six GRU 74455 officers associated with the Sandworm APT for numerous malicious operations, including:

• KillDisk wiper campaign against Ukrainian banks
• Attacks against Ukrainian electrical companies and government organizations that led to blackouts in 2015 and 2016
• The infamous NotPetya ransomware campaign in 2017
• Targeting the French presidential campaign in 2017
• Attacks against the Winter Olympic Games using the Olympic Destroyer malware in 2018
• Attacking the Organization for the Prohibition of Chemical Weapons in 2018
• Attacks targeting the country of Georgia in 2018 and 2019

Dedicated software solutions such as Bitdefender Ultimate Security can shield you against ransomware and other cyberthreats with features like:

• Continuous, all-around protection against Trojans, worms, viruses, ransomware, spyware, rootkits, zero-day exploits and other e-threats
• Multi-layer ransomware protection that protects your documents against all kinds of ransomware attacks
• Network threat prevention module that monitors and blocks suspicious network-level activities
• Behavioral detection technology that monitors active apps and blocks any potentially harmful activity it detects