The Moloch is a new journalism project for tracking technology-related happenings in OSINT, InfoSec, and Conflict spaces.
Falling into a pattern of escalation by Iran-backed actors in every domain, it’s been established that Iran has massively mobilized in cyberspace. This Recorded future piece discusses recent social engineering campaigns by Iranian APT 35 (Charming Kitten) against various MENA experts:
https://therecord.media/microsoft-iranian-hackers-high-profile-experts
In a sophisticated cyber espionage attack targeting the Indian Air Force, Cyble Research and Intelligence Labs identified a Go Stealer malware variant distributed via a ZIP file named “SU-30_Aircraft_Procurement,” exploiting the Indian Defense Ministry's recent procurement of Su-30 MKI fighter jets. This malware, hosted on an anonymous file storage platform, initiates its attack through a deceptive infection chain involving a .lnk file and a decoy PDF, ultimately deploying a stealer payload to harvest login credentials and cookies from targeted browsers. Uniquely, this variant, based on an open-source Go stealer from GitHub, has been enhanced to exfiltrate data using Slack, blending malicious activities with regular business traffic for covert communication. This targeted approach, focusing on specific browsers and utilizing sophisticated tactics like masquerading and deobfuscation, underscores its intent to gather sensitive information from Indian Air Force professionals. The campaign's complexity, selective targeting, and exploitation of recent defense procurement events highlight its potential role in targeted espionage or cyber warfare activities.
https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data-theft/
https://therecord.media/indian-air-force-infostealing-malware
More details have emerged regarding the attacks on Danish power companies in May 2023. Some publications, such as Security Affairs, are retracting their attribution to Sandworm altogether.
https://securityaffairs.com/157438/hacking/denmark-energy-sector-attacks-attribution.html
https://www.hackread.com/forescout-report-new-details-danish-energy-hack/
This brief I wrote for Dyami goes over the December cyberwarfare exchanges between Kyiv and Moscow against critical infrastructure. The salvos involved a combination of state and non-state actors against Ukraine’s largest mobile provider, Kyivstar, and Russia's major water company, Rosvodokanal.
https://www.dyami.services/post/intel-brief-hybrid-cyber-exchange-between-ukraine-and-russia
The Guardian once again brought attention to cybersecurity vulnerabilities in UK nuclear infrastructure in a December 31st report. This time, with Radioactive Waste Management. This article by IT Pro’s Emma Woollacott reveals a few more details than The Guardian’s initial claims:
https://www.itpro.com/security/hackers-use-linkedin-to-target-uk-nuclear-waste-firm
Over the past 18 months, a highly active data-leaking entity has remained largely undetected, a situation recently rectified through the investigative efforts of Hudson Rock. The relative anonymity of Irleaks can be attributed to its focused operations within the obscured internet landscape of Iran.
https://themoloch.com/analysis/irleaks-threat-actor-claims-massive-dataleaks-against-major-iranian-companies-draws-speculation/
Surprising absolutely no one, Alphabet (Google) has agreed to a settlement in a 2020 lawsuit regarding the misleading nature of “incognito” mode in its web browsers. The class-action lawsuit originally demanded $5 billion for the damages.
https://thehackernews.com/2024/01/google-settles-5-billion-privacy.html
The Cactus Ransomware group targeted seven organizations in the past 24 hours. The group has had 85 confirmed victims since September of this year and is considered one of the fastest-growing threat actors in the space.
Targeted since yesterday:
Tridon 🇦🇺
DBM Group 🇺🇲
Coop 🇸🇪
Bell 🇬🇧
Bachoco 🇲🇽
PBS 🇨🇦
GDI 🇨🇦
Something doesn't check out regarding the disclosure at Sellafield. The Guardian is the exclusive source of a number of the claims. But a very close (and dry) look at the documentation from the ONR reveals some potential smoke from The Guardian's fire.
https://themoloch.com/analysis/sellafield-is-there-more-to-the-guardians-claims-of-a-cyber-threat-to-the-uk-nuclear-site/
In the past 24 hours, Russia launched a massive missile attack that killed at least twelve people. During this time, some object crossed the border into Poland.
NoName057(16) claiming to have DDoS’d several Finnish websites in response to the Defense Cooperation Agreement signed between the US and Finland on Monday.
Day 1 of Chaos Communications Congress + my chosen agenda
LockBit claimed at least three victims today, one each in Australia, the US, and France. Despite possibly crossing authorities in their home country (Russia) over the past few months, it doesn’t seem that LockBit is slowing down. Their recent collaboration with the flagging AlphV ransomware group is also telling. LockBit might be a contender for non-state actor number 1 in 2024.
🚨 The Mantis Botnet has recently re-appeared, with confirmed attacks on Russian targets and claims of several others. So far it’s been confirmed that they were able to take down the portal of Aliexpress Russia and, perhaps more concerningly, that of DDoS-Guard and Securitylab.
The Mantis Botnet was called the “most powerful botnet to date” in the summer of 2022. https://blog.cloudflare.com/mantis-botnet/
There has been a huge spike in activity from the group over the last two days, with claimed targets in Germany, the US, and the Netherlands.
They just went after Iceland's government websites, as well.
For the past 24 hours, Swiss government and infrastructure websites have been crippled by a series of distributed denial-of-service (DDoS) attacks, claimed by a pro-Russian hacking group known as ‘NoName057(16)‘. The ongoing attacks are occurring just days ahead of a scheduled video address to t...
From Killnet To Killnet PMHC
The infamous pro-Kremlin hacktivists have moved to a hired-gun (with restrictions) model.
"We continue our destructive activities, for the glory of our homeland." Says an official statement by Russian cybercriminals, Killnet, on their Telegram channel.
https://themoloch.com/osint/an-anecdote-about-maintaining-an-index-of-suspicion-when-analyzing-hacktivist-spaces/
First attempt at an op-ed. A little insight into my process and some of my frustrations when investigating cyber happenings.
Verification is an essential principle in all journalism, but perhaps doubly so when delving into a world of questionable legality in online spaces. Finding leads on a cybercrime or cyberwarfare beat can be as simple as following some sketchy communication channels and seeing what makes waves in the...
https://themoloch.com/infosec/dark-web-card-shop-bidencash-dumps-free-card-numbers-and-pii-of-2-1-million-victims/
February 28th marked the one year anniversary of infamous Dark Web credit card shop, BidenCash. To celebrate, the group released a free text dump earlier this week of 2.1 million compromised cards on Russian-speaking darknet board, XSS.
February 28th marked the one year anniversary of infamous Dark Web credit card shop, BidenCash. To celebrate, the group released a free text dump earlier this week of 2.1 million compromised cards on Russian-speaking darknet board, XSS.
https://themoloch.com/conflict/western-asia/darkbit-claims-responsibility-for-ransomware-attack-on-technion-israel-institute-of-technology-in-haifa/
New threat actor, DarkBit, claiming responsibility for a massive ransomware attack against the Technion, a prominent Israeli technical institution. Their motivation claims to be political, though there's speculation of Iranian involvement.
The Technion Israel Institute of Technology in Haifa experienced a cyber attack on its computer servers, causing its website to go down and students to be asked to log off. The hacker group, Darkbit, demanded 80 bitcoins, equivalent to $1,747,971, from the institute.
North Korean hackers have recently targeted the Indian medical sector and the energy sector, according to a report from cybersecurity firm WithSecure.
North Korean hackers have recently targeted the Indian medical sector and the energy sector, according to a report from cybersecurity firm WithSecure.
https://themoloch.com/news/chatgpt-increases-profile-for-ai-assisted-cyber-attacks-backberry-global-research-suggests/
An article released this week from BlackBerry Global Research suggests that OpenAI‘s ChatGPT, may already be being utilized in nation-state cyberattacks.
In a poll of 1,500 “IT decision makers”, it was assessed that 51% of respondents believe there will be a successful cyberattack credited to ChatGPT within the year, and 95% felt that governments needed to regulate similar technologies.
In a BlackBerry Global Research poll of 1,500 "IT decision makers", it was assessed that 51% of respondents believe there will be a successful cyberattack credited to ChatGPT within the year, and 95% felt that governments needed to regulate similar technologies.
I've finally begun my coverage of
While this article only scratches the surface of the efforts hacktivists have made, I hope it can open a few eyes to the power today's keyboard warriors truly have.
Iran has erupted in protest after the brutal September 16th killing of Jina (or Mahsa) Amini. The Iranian government has had an extreme response: violent crackdowns, missile attacks on Iraqi Kurdistan, and a near-complete cutoff of its citizenry from any global communications. The reply from the Hac...
https://themoloch.com/conflict/azerbaijan-continues-to-engage-armenia-jermuk-and-verin-shorzha-see-no-slowdown-despite-ceasefire/
According to the Armenian Ministry of Defense, Attacks by Azerbaijan were still ongoing as of 0800 local time, despite the Russian claim of a ceasefire.
The strikes come as a continuation of the artillery, UAV, and mortar attacks first reported at 0005 local time (GMT +4) on Tuesday, September 13th. While there have been a number of flare-ups in the Karabakh region since the end of the nations’ six week war in 2020, this week’s attacks are unique in that they target locations on the Armenian side of the border, away from any contested territory.
According to the Armenian Ministry of Defense, Attacks by Azerbaijan were still ongoing as of 0800 local time, despite the Russian claim of a ceasefire.
https://themoloch.com/technology/lazarus-group-the-increasingly-infamous-north-korean-hackers/
Our next long-form piece is on North Korea's infamous Lazarus Group
In modern conflict, the lines between organized crime, espionage, and cyber warfare are extremely blurred.
Teaser for a topic I'll be digging into next week. The world has seen a massive proliferation in terrestrial unmanned weapons systems. The "robo dogs" have come a long way.
How does an army lacking in equipment, ammunition, and time adequately counteract a force with more destructive capability and far greater numbers? They made an app.
https://helpushelp.charity
For anyone looking to help people impacted by the war, consider Help Us Help. They focus on children and veterans who have been harmed or displaced.
Since the earliest days of Ukraine's war with Russia and its proxies, it has relied on the force multiplying impact of GIS Arta software.
https://themoloch.com/, https://www.buymeacoffee.com/itsbruno
Be the first to know and let us send you an email when The Moloch posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.
Don't miss episode 1 of the Virtual Verity podcast: "Clearing the Static on the Israel-Hamas Cyberwar"
Want your business to be the top-listed Media Company?
