[BreachExchange] Cybercriminals Seek to Profit From Russia-Ukraine Conflict

[Terrell Byrd]

https://www.securityweek.com/cybercriminals-seek-profit-russia-ukraine-conflict

Dark web threat actors are looking to take advantage of the tensions
between Russia and Ukraine, offering network access and databases that
could be relevant to those involved in the conflict, according to a new
report from Accenture.

Since mid-January, cybercriminals have started to advertise compromised
assets relevant to the Russia-Ukraine conflict, and they are expected to
increase their offering of databases and network access, with potentially
crippling effects for the targeted organizations.

Just over a month ago, soon after the destructive WhisperGate attacks on
multiple government, IT, and non-profit organizations in Ukraine, threat
actors started to advertise on the dark web access to both breached
networks and databases that allegedly contained personally identifiable
information (PII).

On February 2, an underground forum user was asking $160 for access to a
subdomain of a Ukrainian agricultural exchange. The threat actor claimed to
have shell and database access to the subdomain, as well as access to
payment information and contracts.

That level of access, Accenture notes, allows an attacker to “obtain PII
and payment card data, resell exfiltrated data, deploy malicious software
such as ransomware, deface websites on the affected subdomain, or possibly
even disrupt active exchanges and trades.”

Starting late January 2022, threat actors have been offering on a Tor
website five databases named “gov.ua,” allegedly containing the personal
information of Ukrainian citizens that was allegedly harvested from
Ukrainian government sites. As of February 10, two of the databases appear
to have been sold.

Also in late January, an underground forum user shared a SQL database
supposedly stolen from a Ukrainian federal agency, which allegedly contains
detailed information on wanted criminals. According to another user,
however, the data is publicly available on a Ukrainian government website.

On January 23, another forum user started offering for sale over 70
administrator accounts at a Ukrainian bank and advertised 220 email
addresses along with alleged vulnerabilities in the systems of a Ukrainian
energy sector investor. In other posts, the same user claimed to have
discovered vulnerabilities at biotechnology companies, US banks, and UK
telecommunications organizations.

On January 22, an underground forum user started advertising personal
information of Ukrainian citizens and also provided a link for interested
buyers to download a sample of the data, as proof of legitimacy.

Some of these threat actors appear to have high credibility, being endorsed
by other users on the same underground forums, which suggests that some of
these claims might be legitimate. Others, however, do not have the same
level of feedback, making it difficult for security researchers to assess
the credibility of their claims.

“Nation-state actors could purchase and leverage network access to critical
infrastructure organizations, such as telecommunications or energy
organizations, as well as banks. They could use the accesses with
asymmetrical tactics to cause disruptions, including depriving users of
interconnectivity, energy, or financial transactions, if timed correctly,”
Accenture notes in its report.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220223/e4e17269/attachment.html>