Must read from CERT-UA on UAC-0133 (APT44/Sandworm) targeting UA critical infrastructure. Extremely notable callout from CERT-UA this was likely in prep for sabotage operations in conjunction with missile strikes on Ukrainian infra in the spring of 2024

cert.gov.ua/article/6278706

'Malicious software QUEUESEED (ICYWELL) and GOSSIPFLOW were used in the context of destructive cyber attacks by UAC-0133 on water supply facilities, in particular, using SDELETE. Thus, with a high level of confidence, UAC-0133 is a subcluster of UAC-0002 (Sandworm/APT44).'

PSA

ransomware gangs 🤝 apt44
opportunistic disruptive attacks

I've gotta say, Anderson Cooper talking about our research on CyberArmyofRussia_Reborn was not on my 2024 bingo card

highly recommended read in the thread below!

BREAKING: A Polish man was arrested in relation to an alleged Russian plot to assassinate Ukraine’s President Volodymyr Zelenskyy, Polish prosecutors said. apnews.com/article/poland…

Massive protests in Georgia against a Russian-style law that could be used to label political opponents as 'foreign agents'

🚨 RooCon24 news🚨
Save the date for the next edition of RooCon24 🦘 conference in Google office in Sydney. On the 5th of November, we're going to provide a top content focused on attribution and threat research. Stay tuned for more info and the CFP process announcement. ✌️

Thinking about this one a lot today. If they're willing to do it physically don't expect much restraint in the cyber realm.

A note on analytic distinctions: APT44 / SANDWORM / VOODOO BEAR is not merely a sabotage unit, although this is among their missions. They are also a cyberwarfare unit, in both Russian and US doctrine. Let us not forget what they intend when they come out to fight.

Hopefully not lost in the noise today: a report from WithSecure™ on Kapeka, an APT44 toolset we track as COLDWELL (dropper) and ICYWELL (backdoor).

Some detection rules in the fresh APT44 report, but be sure to read their detail analysis below first

labs.withsecure.com/publications/k…

Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm | Given the active and diffuse nature of the threat posed by Sandworm globally, Mandiant has decided to graduate the group into a named Advanced Persistent Threat: APT44. cloud.google.com/blog/topics/th…