Eurovision Fact #200:

The 2022 Eurovision Song Contest and various Italian institutions' websites faced cyber attacks in the wake of the competition.

Russian hacker group Killnet targeted the Italian institutions on May 11th. Those impacted included the Ministry of Defense and the Senate.

Moreover, the official Eurovision website and the platform used for voting in the contest were also targeted. There were also attacks during the First Semi-Final (where Ukraine performed) and the Grand Final, but all were unsuccessful and had no impact on the competition.

Killnet sent out detailed lists of their actions and various other messages regarding the attacks on a Telegram group (See image above). Additionally, In the above image, the group refers to 'Mirai,' which is an old virus that takes control of things like surveillance systems that are connected to the infected network. This was essentially a threat to the nations' security systems.

[Sources]:

'Eurovision 2022: il sito dell’evento nel mirino degli hacker filorussi,' eurofestivalnews.com.

'Eurovision 2022: Russian vote hacking attempt foiled, police say,' BBC.com.

'Hacker-Attacken auf ESC-Finale abgewehrt,' Eurovision.de.

'Eurovision 2022, la Polizia sventa attacchi hacker ai sistemi di rete della rassegna,' eurofestivalnews.com.

'Pro-Russian hackers target Italy institutional websites -ANSA news agency,' Reuters.com.

'Pro-Russia 'Killnet' hackers target Italian institutions,' dw.com.

'Su Telegram la rivendicazione di Killnet: «Italia e Spagna, forse è l’inizio della vostra fine»,' gironalettismo.com.

El grupo de hackers ruso Killnet apoyó a Hamás y comentó sobre la situación en Israel:

“Gobierno de Israel, usted tiene la culpa de este derramamiento de sangre. Incluso en 2022 usted apoyó al régimen terrorista de Ucrania. Traicionaste a Rusia. ¡Hoy, Killnet os informa oficialmente! ¡Todos los sistemas del gobierno israelí estarán expuestos a nuestros ataques!

Killnet Targets Healthcare Azure Resources

Russian based threat actor Killnet has been observed targeting healthcare applications hosted using the Microsoft The post Killnet Targets Healthcare Azure Resources appeared first on TheCyberThrone.Killnet Targets Healthcare Azure Resources

View On WordPress

EU Parliament Website Attacked After MEPs Slam Russian 'Terrorism'

EU Parliament Website Attacked After MEPs Slam Russian ‘Terrorism’

Home › Cyberwarfare EU Parliament Website Attacked After MEPs Slam Russian ‘Terrorism’ By AFP on November 23, 2022 Tweet The European Parliament website was hit by a cyberattack claimed by pro-Russian hackers Wednesday shortly after lawmakers approved a resolution calling Moscow a “state sponsor of terrorism”. “The European Parliament is under a sophisticated cyberattack. A pro-Kremlin group has…

View On WordPress

Российская кибератака Killnet остановила Варшавскую фондовую биржу

Российская кибератака Killnet остановила Варшавскую фондовую биржу

24.10.2022 18:30 Евгения Маркова Российская кибератака Killnet остановила Варшавскую фондовую биржу Хакеры российской группировки Killnet атаковали сайт Варшавской фондовой биржи, о чем они заявили в своем телеграм-канале. Официальный сайт Варшавской фондовой биржи заблокирован, как и личные кабинеты брокеров. Варшавская фондовая биржа — одна из крупнейших фондовых бирж в Центральной и Восточной…

View On WordPress

How Putin uses shadowy army of hacking geeks from the ‘Fancy Bears’ to ‘KillNet’ gang who’ve besieged NHS & Royal Family | In Trend Today

How Putin uses shadowy army of hacking geeks from the ‘Fancy Bears’ to ‘KillNet’ gang who’ve besieged NHS & Royal Family Read Full Text or Full Article on MAG NEWS

View On WordPress

How Putin uses shadowy army of hacking geeks from the ‘Fancy Bears’ to ‘KillNet’ gang who’ve besieged NHS & Royal Family | In Trend Today

How Putin uses shadowy army of hacking geeks from the ‘Fancy Bears’ to ‘KillNet’ gang who’ve besieged NHS & Royal Family Read Full Text or Full Article on MAG NEWS

View On WordPress

Looks like the group targeting AO3 who've identified themselves as Anonymous Sudan probably have nothing whatsoever to do with Sudan and are either funded and trained by the Russian government or are straight up a cover for Russian cyber attacks.

The main things that seem to be leading cybersecurity experts to this conclusion:

The tactics line up with the methods of the Russian backed KillNet hacker group

The targets line up with Russian government interests

And the resources used to carry out attacks are expensive and require significant funding.

This does lead to an interesting question of why AO3 of all sites was selected, if I had to guess (and unlike the notes above, this is just me guessing and not backed up by experts) I'd say that there are two things that make AO3 an effective target: There's a large amount of traffic, and it fits the cover.

Attacking a target that doesn't necessarily directly benefit the Russian state's interests helps blur the trail, and making sure that the target has a large userbase means that the cover gets spread to a large amount of people quickly.

This is actually part of the reason I'm making this post. Spreading awareness of the source of the attack actually weakens the attack, and if we spread the word far enough that Anonymous Sudan is actually the Russian government we can make the attack an actual failure by revealing the cover instead of helping secure it.

Here's an article that goes more in-depth on Anonymous Sudan if you want to know more details:

I'll just leave this 👇 here... You Decide 🤔

Killnet puts European banks on notice. “You have 48 hours”

Fuck it. I’m going to detail Anonymous Sudan. This is going to be a long one, folks. If you’re curious, peak under the cut.

First off. Anonymous Sudan is not Sudanese. They are Russian. I’m going to referencing this report quite a bit, mostly because it’s very thorough and details it in a way the average person can understand. You’re also going to need to understand who Killmilk/Killnet is. I’ve seen chatter that “milk” is a Russian slur towards Ukrainians (which fits, given the war), but I can’t confirm or deny it.

Why is this Russian hacker group targeting a fanfic site and why are they trying to pretend to be Sudanese hackers?

They want money. A Bitcoin wallet filled with $30,000 USD, to be exact. Per my converter, that would be roughly 0.98 Bitcoin. American dollars go very far in Russian, especially if they are converted into something that is very hard to trace. Why are they using language of religious extremists? Because Russia is wildly homophobic as a nation and they want to make your life harder/ruin your day. Also, Ao3 is a soft target because it owns its own servers. In short, they are trolls who want money.

I’m pretty sure that Killmilk doesn’t care that Ao3 hosts gay fanfic. If he did, he wouldn’t be fucking around with Google translate like that. He just wants to make you angry and make you say stupid things on the internet that is going to make your life harder. Seriously, guys. Don’t fall into the trap, please? Don’t feed the trolls.

Yes, the English in the first screenshot came from Google translate. How do I know?

Well, a long time ago (2016-ish), it was a thing in the Warrior Cats fandom to take quotes from the book, feed it into several languages via Google Translate, and laugh at the results. Google Translate is not a 1:1 translation service. It guesses. A lot.

My gut feeling? The text went from Russian, to Arabic, to English, with Google Translate guessing each time (based on a previous guess) the words are translated. That’s how what I’m guessing was “porn” turned into “smut” and what was probably a slur turned into “LGBTQ+”. Google Translate does not like translating slurs and has been known to substituting what it thinks are less offensive words.

So how do we know they are Russian?

They hang out on Telegram, an app known to be used by Russian interests. They also posted purely in Russian until they fucked with Microsoft. Then, they switched to Arabic.

Here’s the kicker, though. Anonymous Sudan isn’t using Sudanese Arabic, English, or Nobiin. They’re using Modern Standard Arabic. Google Translate does not give you the option for Sudanese Arabic. It gives you the option for Nobiin (labeled as “Sudanese”), but not Sudanese Arabic.

In short, these guys are using the first likely language that pops up on Google Translate and hitting “enter”. Google Translate is free, easy, and looks right.

They also have ties to Killmilk/Killnet. Killmilk/Killnet has ties to the Wagner Group and the Kremlin. They are very bad people, doing very bad things.

So why did they do it?

They needed money. 30k USD in Russia buys you a lot of arms and ammunition. They went for a site that a lot of people use, that has flaws allowing for a DDOS attack, and waited to see if people would pay the ransom.

No, this is not a false flag by Ao3. Anonymous Sudan is a known entity with a known MO and a known habit of attacking Western sites. I know y’all hate Ao3, but please do some digging. Critical thinking is not the enemy.

US Airport Websites Hit by Suspected Pro-Russian Cyberattacks

US Airport Websites Hit by Suspected Pro-Russian Cyberattacks

Home › Incident Response US Airport Websites Hit by Suspected Pro-Russian Cyberattacks By AFP on October 10, 2022 Tweet The websites for a number of major US airports were briefly taken offline Monday after a cyberattack promoted by a pro-Russian hacking group. The distributed denial of service (DDoS) attacks hit the airport websites of several major US cities including Atlanta, Chicago, Los…

View On WordPress

Russia's APT28 Cyber Espionage Group Targets Czechia, Germany Using Outlook Exploit

Czechia and Germany have exposed a long-running cyber espionage campaign conducted by the notorious Russia-linked APT28 hacking group, drawing harsh criticism from international organizations like the European Union (EU), the North Atlantic Treaty Organization (NATO), the United Kingdom, and the United States. The Czech Republic's Ministry of Foreign Affairs revealed that certain entities within the country were targeted using a critical Microsoft Outlook vulnerability (CVE-2023-23397), allowing Russian state-sponsored hackers to escalate privileges and potentially gain unauthorized access. Germany Accuses APT28 of Targeting Social Democratic Party Similarly, Germany's Federal Government attributed the APT28 threat actor, also known as Fancy Bear, Pawn Storm, and Sofacy, to a cyber attack aimed at the Executive Committee of the Social Democratic Party, exploiting the same Outlook flaw over a "relatively long period" to compromise numerous email accounts. The targeted industries spanned logistics, armaments, air and space, IT services, foundations, and associations located in Germany, Ukraine, and other European regions. Germany also implicated APT28 in the 2015 cyber attack on the German federal parliament (Bundestag). Widespread Condemnation of Russia's Malicious Cyber Activities NATO stated that Russia's hybrid actions "constitute a threat to Allied security," while the Council of the European Union condemned Russia's "continuous pattern of irresponsible behavior in cyberspace." The UK government described the recent APT28 activity, including targeting the German Social Democratic Party, as "the latest in a known pattern of behavior by the Russian Intelligence Services to undermine democratic processes across the globe." The US Department of State acknowledged APT28's history of engaging in "malicious, nefarious, destabilizing and disruptive behavior," and reiterated its commitment to upholding a "rules-based international order, including in cyberspace." Disruption of APT28's Criminal Proxy Botnet Earlier in February, a coordinated law enforcement action disrupted a botnet comprising hundreds of SOHO routers in the US and Germany believed to have been used by APT28 to conceal their malicious activities, such as exploiting CVE-2023-23397 against targets of interest. Cybersecurity researchers warn that Russian state-sponsored cyber threats, including data theft, destructive attacks, DDoS campaigns, and influence operations, pose severe risks to upcoming elections in regions like the US, UK, and EU, with multiple hacking groups like APT28, APT44 (Sandworm), COLDRIVER, and KillNet expected to be active. Securing Critical Infrastructure from Pro-Russia Hacktivist Attacks Government agencies from Canada, the UK, and the US have released a joint fact sheet to help critical infrastructure organizations secure against pro-Russia hacktivist attacks targeting industrial control systems (ICS) and operational technology (OT) systems since 2022, often exploiting publicly exposed internet connections and default passwords. The recommendations include hardening human-machine interfaces, limiting internet exposure of OT systems, using strong and unique passwords, and implementing multi-factor authentication for all access to the OT network. Read the full article