Microsoft on Thursday attributed the latest spate of ransomware incidents concentrating on transportation and logistics sectors in Ukraine and Poland to a menace cluster that shares overlaps with the Russian state-sponsored Sandworm group.
The assaults, which have been disclosed by the tech big final month, concerned a pressure of beforehand undocumented malware referred to as Prestige and is alleged to have taken place inside an hour of one another throughout all victims.
The Microsoft Threat Intelligence Center (MSTIC) is now monitoring the menace actor underneath its element-themed moniker Iridium (née DEV-0960), citing overlaps with Sandworm (aka Iron Viking, TeleBots, and Voodoo Bear).
“This attribution evaluation is predicated on forensic artifacts, in addition to overlaps in victimology, tradecraft, capabilities, and infrastructure, with identified Iridium exercise,” MSTIC stated in an replace.
The firm additionally additional assessed the group to have orchestrated compromise exercise concentrating on most of the Prestige victims way back to March 2022, earlier than culminating within the deployment of the ransomware on October 11.
The technique of preliminary compromise nonetheless stays unknown, though it is suspected that it concerned getting access to extremely privileged credentials essential to activate the killchain.
“The Prestige marketing campaign could spotlight a measured shift in Iridium’s harmful assault calculus, signaling elevated threat to organizations immediately supplying or transporting humanitarian or army help to Ukraine,” the corporate stated.
The findings come over a month after Recorded Future linked one other exercise group (UAC-0113) with ties to the Sandworm actor as having singled out Ukrainian customers by masquerading as telecom suppliers within the nation to ship backdoors onto compromised machines.
Microsoft, in its Digital Defense Report printed final week, additional referred to as out Iridium for its sample of concentrating on crucial infrastructure and operational expertise entities.
“Iridium deployed the Industroyer2 malware in a failed effort to depart thousands and thousands of individuals in Ukraine with out energy,” Redmond stated, including the menace actor used “phishing campaigns to achieve preliminary entry to desired accounts and networks in organizations inside and out of doors Ukraine.”
The improvement additionally arrives amid sustained ransomware assaults geared toward industrial organizations worldwide through the third quarter of 2022, with Dragos reporting 128 such incidents through the time interval in comparison with 125 within the earlier quarter.
“The LockBit ransomware household account for 33% and 35% respectively of the entire ransomware incidents that focus on industrial organizations and infrastructures within the final two quarters, because the teams added new capabilities of their new LockBit 3.0 pressure,” the commercial safety agency stated.
Other distinguished strains noticed in Q3 2022 embody Cl0p, MedusaLocker, Sparta, BianLian, Donuts, Onyx, REvil, and Yanluowang.