Ukraine Breaches Security of Russian Warplane Manufacturer

Each week, Information Security Media Group compiles significant occurrences in cybersecurity globally. This week saw Ukrainian hackers breach a Russian aerospace firm, coordinated cyberattacks from Russia amidst the ongoing conflict, the seizure of multiple crypter sites, and U.S. prosecutors taking action against North Korean IT salaries. Regulatory investigations also surfaced involving CrowdStrike following a major outage, alongside collaborative efforts with Microsoft to standardize threat group nomenclature. Moreover, a Romanian national was convicted for a spree of swatting incidents, while Lee Enterprises reported a ransomware breach exposing sensitive data.

Ukrainian military intelligence has reportedly infiltrated the systems of the United Aircraft Corporation, a prominent Russian aerospace company. The breach has resulted in the theft of 4.4 gigabytes of critical internal documentation and design plans linked to Russian bombers deployed in the ongoing conflict against Ukraine.

As reported by Interfax-Ukraine and the Kyiv Post, the cyber unit of Ukrainian Military Intelligence successfully appropriated sensitive data, suggesting that almost all operational secrets of Tupolev may now be effectively compromised. A source within Ukrainian intelligence articulated the significance of the gathered data, indicating major implications for both aerial and ground military operations.

This stolen data encompasses procurement records, minutes from confidential meetings, and personal information of Tupolev personnel. In a display of their cyber capabilities, the attackers also defaced the Tupolev website by superimposing an owl grasping an airplane, signaling a clear message of defiance.

Analysis indicates that this operation may have involved methods associated with the initial access and persistence tactics outlined in the MITRE ATT&CK framework, demonstrating the use of advanced infiltration techniques that likely involved extended reconnaissance to gather crucial telemetry for future operations against other Russian defense firms.

As noted by Paul Chichester, director of operations at the UK’s National Cyber Security Centre, Russian cyber groups are increasingly blending digital sabotage with traditional military objectives. This strategic pivot reflects a commitment to more targeted cyber operations that align closely with operational military needs, particularly in the context of Ukraine.

This shift is evident in recent campaigns by Unit 26165 of Russia’s Main Intelligence Directorate, which targeted internet-connected surveillance systems at military facilities in Ukraine. Such cyber maneuvers are indicative of a broader tactic of leveraging cyber capabilities to support ground operations.

In a concerted effort, agencies from the U.S., Netherlands, and France have taken down four prominent malware crypting sites—AVCheck.net, Crypt.guru, Cryptor.live, and Cryptor.biz. These platforms were essential for cybercriminals to modify malware signatures while preserving functional integrity, thereby undermining antivirus defenses.

This operation, part of the larger Operation Endgame campaign, illustrates a proactive stance against cybercriminal networks. The platforms, reportedly linked to notorious ransomware collectives like Ryuk, had been utilized for over a decade to test malware against cybersecurity measures.

Federal prosecutors have initiated steps to seize $7.74 million in cryptocurrency associated with North Korean operatives involved in laundering funds obtained through covert IT employment in Western firms. This revelation highlights the ongoing efforts by North Korea to convert digital earnings into hard currency to support its regime.

Regulators are currently scrutinizing CrowdStrike regarding a significant outage that disrupted operations for approximately 8.5 million systems last July. The inquiries, led by the U.S. Department of Justice and Securities and Exchange Commission, focus on the company’s revenue reporting practices and its engagement in transactions with specific clients.

In a bid to streamline threat intel attributions, CrowdStrike and Microsoft have announced a partnership to establish consistent naming conventions for threat groups. This collaboration, likened to a “Rosetta Stone” for cyber threat designation, aims to reduce confusion in cyber threat intelligence, although challenges remain regarding industry-wide standardization.

A Romanian citizen has pleaded guilty in U.S. court to orchestrating a lengthy swatting scheme that targeted over 75 public officials and multiple organizations. The individual, identified as Thomasz Szabo, was involved in generating false emergency threats that prompted armed police reactions across the United States, significantly impacting public resources.

Lee Enterprises, a major U.S. newspaper publisher, has reported that a ransomware attack earlier in February compromised the personal data of nearly 40,000 individuals. The incident, characterized by network outages and operational disruptions, underscores the persistent threat of ransomware in the media industry.

Cynthia Kaiser, a former FBI lead in cyber policy, is transitioning to the private sector to head the Ransomware Research Center at Halcyon. Her expertise reflects an ongoing wave of federal personnel shifts amid significant budgetary constraints facing federal cyber operations.

Summary of Last Week’s Developments

Reporting contributed by Information Security Media Group’s correspondents across the globe.