wp-plugin-hostgator domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home4/scienrds/scienceandnerds/wp-includes/functions.php on line 6114ol-scrapes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home4/scienrds/scienceandnerds/wp-includes/functions.php on line 6114Source:https:\/\/techcrunch.com\/2023\/05\/15\/cybercriminals-who-targeted-ukraine-are-actually-russian-government-hackers-researchers-say\/<\/a><\/br> For years, Russian<\/span> government hackers have used several made-up personas<\/a> to hide their tracks and try to trick security researchers and government agencies into pointing the blame in the wrong direction.<\/p>\n They have pretended to be a lone Romanian hacktivist<\/a> called Guccifer 2.0 when they hacked the Democratic National Committee; unleashed a destructive malware<\/a> designed to look like run-of-the-mill ransomware; hid within the servers<\/a> used by an Iranian hacking group; claimed to be an Islamist hacking group called Cyber Caliphate<\/a>; hacked the 2018 Winter Olympics leaving breadcrumbs<\/a> that pointed to North Korea and China; and slipped false evidence within documents released as a hack and leak operation<\/a> supposedly carried out by an hacktivist group called Cyber Berkut.<\/p>\n Now, security researchers claim to have found a new Russian government false flag.<\/p>\n According to security researchers at BlackBerry, the cybercrime group known as Cuba Ransomware<\/a>, which was previously linked to a malware strain known as RomCom RAT, is not a cybercrime group at all. It\u2019s actually a group working for the Russian government targeting Ukrainian military units and local governments, the researchers said.<\/p>\n \u201cIt\u2019s a misleading attribution,\u201d said Dmitry Bestuzhev, senior director of BlackBerry\u2019s cyberthreat Intelligence team, referring to the links between RomCom RAT and Cuba. \u201cIt looks like it\u2019s just another unit working for the Russian government,\u201d he said.<\/p>\n The Russian Embassy in Washington, D.C. did not respond to a request for comment.<\/p>\n RomCom RAT is a remote access trojan first discovered by Unit 42<\/a>, the Palo Alto Networks security research group, in May 2022. The company\u2019s security researchers linked the malware to the Cuba gang, which has used ransomware against targets in the sectors of \u201cfinancial services, government facilities, healthcare and public health, critical manufacturing, and information technology,\u201d according to U.S. cybersecurity agency CISA<\/a>.<\/p>\n The name comes from the group itself, which used illustrations of Fidel Castro and Che Guevara<\/a> on its dark web site, although no researcher has ever found any evidence that the group has anything to do with the island nation.<\/p>\n RomCom RAT has reportedly used fake versions of popular apps<\/a> to target its victims, such as the password manager KeePass, the IT administration tool SolarWinds, Advanced IP Scanner and Adobe Acrobat reader. Over the last few months, according to Bestuzhev and his colleagues, RomCom RAT also targeted Ukrainian military units, local government agencies and Ukraine\u2019s parliament.<\/p>\n Bestuzhev explained that their conclusion is not just based on the targets, but also on the timing of the hackers\u2019 operations.<\/p>\n His team have tracked the group for a year and followed its trail through the internet. As part of their investigation, the researchers observed the hackers using different digital certificates to register the fake domains they used to plant malware on targets.<\/p>\n In one case, the researchers witnessed the hackers creating an Austria-presenting digital certificate to sign a booby-trapped website on March 23, a week before Ukraine\u2019s President Volodymyr Zelenskyy addressed the Austrian parliament<\/a> via video call.<\/p>\n The same pattern happened other times. When the RomCom RAT hackers mimicked a SolarWinds website in November 2022, it was around the time Ukrainian forces entered the besieged city of Kherson<\/a>. When the hackers mimicked Advanced IP Scanner in July 2022, it was just as Ukraine began deploying HIMARS rockets<\/a> supplied by the U.S. government. And then in March 2023, the hackers mimicked Remote Desktop Manager around the time Ukrainian pilots were getting trained to fly F-16 fighter jets<\/a>, and Poland and Slovakia decided to provide<\/a> Ukraine with military tech.<\/p>\n \u201cSo each time a major event happened, like something big in geopolitics, and especially on the military field, RomCom RAT was just there, just right there,\u201d Bestuzhev said.<\/p>\n Other security researchers, as well as the Ukrainian government itself, however, are still not fully convinced RomCom RAT and Cuba Ransomware are actually Russian government hackers.<\/p>\n Doel Santos, a senior researcher at Palo Alto Networks\u2019 Unit 42, said that the group behind the RomCom RAT malware is \u201cmore sophisticated than traditional ransomware groups,\u201d for its use of custom tools.<\/p>\n \u201cUnit 42 has seen the activity targeting Ukraine. There is an espionage angle with this and because of that, they could be getting direction from a nation state,\u201d Santos told TechCrunch. \u201cHowever, we don\u2019t know the extent of that relationship. It goes outside the normal activities of a ransomware group.\u201d<\/p>\n Still, Santos added, \u201csome groups moonlight to get additional work \u2014 this may be what we\u2019re seeing in this case.\u201d<\/p>\n Bestuzhev said he and his team have considered this possibility but have excluded it based on the hackers\u2019 persistence, the timing and targets of the attacks, which indicate their real goal is espionage and not crime.<\/p>\n A spokesperson for the State Special Communications Service of Ukraine<\/a>, or SSSCIP, said that one of RomCom RAT\u2019s operations in Ukraine<\/a> targeted users of a specific situational awareness software called DELTA, and \u201caccording to the target and used malware, it can be assumed that the goal was collecting intelligence from the Ukraine military.\u201d<\/p>\n \u201cBut there is not enough evidence to connect it with Russia (except the fact that Russia is the most interested government in such kind of information),\u201d an SSSCIP spokesperson added.<\/p>\n Mark Karayan, a spokesperson for Google\u2019s threat intelligence teams, who have been tracking the hacking group, said that \u201cour team can\u2019t confidently confirm or deny these findings without seeing [BlackBerry\u2019s] full research.\u201d<\/p>\n Bestuzhev said that his group doesn\u2019t plan on publishing all the technical details of their findings, in an attempt to not show their hand to RomCom RAT hackers, and prevent them from changing their strategies and techniques. This way, Bestuzhev explained, they can keep tracking the hackers and see what they do next.<\/p>\n The jury is still out on who\u2019s really behind RomCom RAT and Cuba Ransomware, but Bestuzhev and researchers from other companies will continue to keep an eye on the group.<\/p>\n \u201cThose guys, let\u2019s say, they know we know. We love each other. And so it\u2019s like a long-term relationship,\u201d Bestuzhev said, laughing.<\/p>\n Do you have more information about this hacking group? Or other hacking groups involved in the war in Ukraine? We\u2019d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via\u00a0SecureDrop<\/a>.<\/em><\/p>\n<\/p><\/div>\n <\/br><\/br><\/br><\/p>\n
\nCybercriminals who targeted Ukraine are actually Russian government hackers, researchers say<\/br>
\n2023-05-15 21:46:07<\/br><\/p>\n
\n