Russian Hackers Archives

Russian hackers are using a fake PDF decryption tool to trick innocent PC users into downloading Spica, a new strain of malware.

Discovered by Google’s Threat Analysis Group (TAG), Spica is a backdoor malware which has not been identified previously. It’s believed that the malware is the result of ColdRiver, a Russian hacking team with a proven track record in deploying malware. The attack, as with so many contemporary threats, is delivered by email and relies on malicious PDF files. Now, with close to 350 billion emails sent per day in 2023, it’s clear that email is hugely popular. And it’s estimated there are 2.5 trillion PDF files currently in circulation. Therefore, the chances of your business running into a similar attack is high.

The Threat of Spica

The Spica attack begins when the threat actors send a series of PDF files to their targets. Using phishing email techniques, they attempt to trick the targets into believing that these have been sent by legitimate contacts. These files appear encrypted and, if the target bites, they will email back to say they can’t open the files. This is where the threat actors are able to launch their payload.

By sending a malicious link back to the target, the threat actors can trick them into downloading what they claim is a decryption tool. However, this executable tool – going under the name of Proton-decryptor.exe – is far from helpful. Instead, it will provide backdoor access to the target’s PC. With this access in place, the malware can communicate with a control-and-command server to receive further instructions.

And Spica comes loaded with a wide range of weaponry. As well as being capable of launching internal shell commands on the infected PC, it’s also programmed to steal browser cookies, send and receive files, and create a persistent presence on the machine. Google believes that there are multiple variants of Spica, and the current targets of the malware seem to be high ranking officials in non-governmental organizations and former members of NATO governments.

Shielding Yourself from the Threat of Spica

While your organization may not be listed high on ColdRiver’s target list, the attack methods are familiar and could easily be launched against you at some point in the future. Therefore, it’s in your best interests to integrate the following advice into your cybersecurity measures:

Always double check attachments: with email attachments representing one of the surest ways to transmit malware, it’s vital you remain vigilant. If you have even the slightest inkling that something seems suspicious with an email from a known contact, don’t email them back. Instead, contact them by phone to confirm the email is genuine, as it may be that their email account has been hacked.

Check for spelling/grammar errors: phishing emails are prone to poor grammar and spelling, especially when they originate from non-English speakers. Accordingly, poorly composed emails should be scrutinized closely. Also, watch out for generic and unusual greetings such as “Dear customer” as these may indicate that the email is part of a mass-campaign against unknown targets.

Use email filters: by using email filters, often included with anti-malware software such as McAfee, you can provide your organization with an extra layer of security. Connected to databases which are regularly updated, these email filters can identify malicious files before they’re downloaded to your PC.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Ukraine’s Military Hacked by Russian Backed USB Malware

malware, Ophtek, Phishing, Pteredo, Russian Hackers, Shuckworm, Ukraine, USB_malwaremalware, Ophtek, phishing, Pterodo, Russia, Shuckworm, Ukraine, USB_MalwareOphtek, LLC

Aug 2023

The news footage may focus on military strikes, but, behind the war in Ukraine, cyberattacks are being utilised as a major weapon by Russia.

Government-backed cyberattacks are nothing new, and they will continue to be utilized as part of global espionage campaigns for the foreseeable future. However, while these attacks are unlikely to be aimed at small businesses, the methods and techniques employed are likely to trickle down into the arsenal of smaller hackers. Therefore, in the near future, these powerful attacks could regularly be launched against your business.

At Ophtek, we pride ourselves on keeping our clients up to date on contemporary threats. But we also strive to keep you one step ahead of the hackers. And that’s why we’re going to take you through this latest attack.

Understanding the Mechanics of this Military Hack

Warfare has always relied on much more than just weapons, intelligence has always been equally important. And, with the rise of technology in the digital age, compromising IT equipment has proven to be highly rewarding in the pursuit of sensitive information. This latest attack, which has links with Russia’s FSB security service, has been launched by Shuckworm, a Russian threat actor with a long history of attacks.

February 2023 saw Shuckworm intensifying their attacks against Ukraine, a campaign which has been running for several years. Most notably, Shuckworm have been developing new malware in conjunction with command-and-control servers. Central to these attacks has been a strain of malware called Pterodo. Developed by Shuckworm, Pterodo is a backdoor attack which is executed when malicious USB drives are installed onto PCs. The first step that Pterodo takes is to install shortcut links on the infected PC, with these links given names such as evidence.rtf.lnk in order to tempt users into clicking them.

Clicking these links will install Pterodo on the user’s PC and allow Pterodo to spread through any connected drives and download further malware. To cover its tracks, Pterodo uses a number of innovative approaches. Numerous variants of Pterodo have been developed to bypass identification tools and, in order to conceal their identity, the related command-and-control servers regularly rotate their IP addresses. W hile the USB route for launching this attack appears to be Shuckworm’s preferred method, there is also evidence that it’s being spread through phishing emails.

How Do You Beat Military Backed Hackers?

Threat actors which receive government support are very powerful, but it doesn’t mean they are unbeatable. In fact, this latest attack by Shuckworm can easily be deflected by practicing the following:

Be wary of USB drives: USB drive attacks have been commonplace for many years, so it’s important that you don’t let your guard down. Mysterious USB drives which arrive in the mail or are found out in the parking lot should be fully scrutinized and never plugged into your PCs. As well as compromising data security, malicious USB drives also have the potential to destroy your PC.

Understand the hallmarks of phishing: businesses need to be vigilant against phishing campaigns in order to protect their IT infrastructure. Therefore, make sure your employees know how to identify telltale signs of phishing emails: misspellings, generic greetings, urgent demands, suspicious attachments/links, and email addresses with slight variations. If your team can stay alert to these threats, then you stand a much better chance of protecting your data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Ophtek CEO Presenting at 3 Conferences in 2022 on Cyber Security

Cyber Security, Cyber Security Conference, Ophtek, Russian HackersCyber Security Conferences, Cybersecurity, Ophtek, Russian HackersOphtek, LLC

Apr 2022

Ophtek’s expertise and authority within the world of cybersecurity will be demonstrated at three cyber security conferences in 2022.

Every modern organization should prioritize IT as one of the most crucial elements of their day-to-day operations. Without suitable IT infrastructures in place, an organization’s scope for communication, productivity and security will be severely limited. Accordingly, Ophtek strives to turn these business aspirations into a reality for their clients. Ophtek’s success in this field has been the result of investing in talented employees and the careful stewardship of CEO Arash Shokouh.

The experience and knowledge that Ophtek has amassed over the last decade is invaluable. It’s a commodity which is severely in demand as, now more than ever, businesses need help navigating their way through cyber security issues and understanding the best IT practices to maximize productivity. And that’s why Arash Shokouh has been asked to present at three conferences in 2022 on cyber security.

Statement by President Biden on our Nation’s Cybersecurity.

A recent announcement from President Biden on the importance of Cyber Security highlights these issues:

“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” Read his full statement here..

Cybersecurity and Infrasctucture Security Agency.

Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. For more information..

Where Will Arash Be Presenting?

Arash is due to speak at the following three conferences in 2022:

Given Arash’s diverse background as an inventor, holder of BS and MS degrees in computer engineering, status as a part-time professor in computer engineering and, of course, ownership of Ophtek, he is perfectly placed to share his wealth of cyber security knowledge.

Given the current landscape of cyber security, where ransomware and malware represent major, significant threats, Arash’s presentations will focus on addressing these issues and pointing towards a safer, more secure future for organizations. In particular, the content will be focused on:

Protecting your business from modern cyber threats and technology
Cyber security best practices for individuals and businesses
The future of IT best practices
Addressing cyber security compliance

The cumulative insights provided by these presentations promise to impart a strong understanding of cyber security to forward thinking businesses and Arash cannot wait to share his knowledge.

Cyber Attacks Increase After Russia Invades Ukraine

cyber attacks, Hackers, Ophtek, Russian Hackers, Security, UkraineCyber Attacks, hackers, Ophtek, Russian Hackers, security, UkraineOphtek, LLC

Apr 2022

The Russian invasion of Ukraine has created headlines around the world; one of the lesser-known stories to emerge has been the increase of cyber attacks.

Numerous aspects of life have changed since Ukraine was invaded by Russian forces at the end of February. Alongside the military attacks and breakdown in social infrastructure that Ukrainians have had to contend with, there have been consequences for those outside the region as well. Supply chains have broken down, the price of fuel has risen and there is widespread skepticism over global peace. And, with the internet being such an integral part of modern society, there has been a notable rise in the number of cyber attacks occurring.

An Escalation in Cyber Attacks

The ensuing chaos of a war being waged on European soil and the military might of Russia has created the perfect environment for cyber attacks to thrive. Not only has Russia been accused of using cyber attacks as part of their campaign against Ukraine, but hackers have turned the situation to their advantage by exploiting concerns over the conflict.

As early as February, Ukraine was experiencing significant attacks on its defense ministry and two major banks. These DDoS attacks were used to temporarily take down websites associated with the targets and cause panic and certainty in financial and government sectors. Within 48 hours of the conflict breaking out, it was reported that an increase of 800% in the number of cyber attacks originating in Russia had been observed. There has also been a notable increase in attacks against Ukraine from groups allying themselves with Russia, the Stormous hacking group, for example, announced that they intended to target Ukrainian organizations with ransomware.

Independent hackers have also taken advantage of the conflict to boost the emotional credentials of their campaigns. With emotions and sympathies running high across the world, hackers have exploited these concerns by using Ukraine as a key email subject to increase engagement. Spam email campaigns have also been modified to use the Ukraine conflict as emotive honeypot used to trick recipients into making donations to false organizations.

How to Prepare for Spillover Attacks

While most of these attacks have targeted organizations in Ukraine, it’s likely that these attacks will soon spillover into allies of Ukraine and, eventually, any PC on the planet. As such, it’s crucial that you remain on your guard and observe the following:

Ukraine-based red flags: the increase in spam email campaigns means that its likely you will encounter malicious links and attachments arriving in your inbox. These will typically encourage you to engage with a call to action such as visiting a site set up for donations. Eliminate this risk by only visiting official websites through the correct channels.

Allies of Ukraine will be targeted: if you deal with Ukrainian organizations then there’s a chance you will be targeted. This could be the result of cyber attacks which spread through email address books or there’s the risk that you will be directly targeted. Accordingly, you should ramp up your cyber security operations and investigate anything suspicious.

Any source of conflict has the potential to cause uncertainty in the digital landscape and, with the Russia/Ukraine conflict expected to be in place for some time, it’s vital that you protect your IT infrastructures. Not only will this maintain IT continuity, but it will provide support for organizations in Ukraine.

For more ways to secure and optimize your business technology, contact your local IT professionals.

LoJax Malware is Persistent and Highly Dangerous

LoJack, LoJax, Ophtek, Russian Hackers, Security ThreatsLoJack, LoJax, Ophtek, Russian Hackers, securityOphtek, LLC

Feb 2019

Most malware can be eradicated once its DNA has been analyzed and solutions are developed by security experts, but what happens when it can’t be combated?

Unkillable malware may be a rare phenomenon, but it’s a reality that could become increasingly common. And when we say unkillable, we mean that the malware itself simply can’t be removed from a PC. You can replace hard drives and reinstall Windows, but the malware will remain on the PC. The disruption this can cause is immense and presents a serious threat to productivity for any organization affected. Although these forms of malware are currently rare, it’s likely that advances in technology and the skills of hackers could see their popularity increasing.

A recent strain of unkillable malware is LoJax, so we’re going to take a look at this and see what lessons we can learn.

The Unkillable LoJax

The origins of LoJax go all the way back to 2008 and, surprisingly, it all started with a piece of anti-theft software named LoJack. The LoJack software helped to protect PCs by working its way deep inside the Unified Extensible Firmware Interface (UEFI). Much like the traditional BIOS, UEFI helps to connect a PCs operating system to its firmware and is the first program that runs at startup. LoJax has taken the advanced technology of LoJack and modified it so that it can remain hidden deep within the workings of a PC.

And no matter what changes a user makes to their PC – be it software or hardware related – LoJax will retain a presence on that PC. Not only will LoJax be able to continually execute tasks in relative safety, it will also be able to keep up communications with remote command and control servers. This allows updates to be issued alongside new tools and pieces of malware. Clearly, LoJax is a particularly insidious and persistent threat to your PC.

First discovered in early 2018, LoJax has lived up to its reputation as unkillable and continues to wreak havoc several months later. Worst of all, many of the command and control servers are the original ones that were setup by the hackers. Usually, these C&C servers have to be regularly relocated and updated to thwart the efforts of security experts. However, underlining their ‘unkillable’ credentials, the hackers have been able to continue using their original setup without any resistance.

Are You Safe from LoJax?

It’s believed that LoJax was develop and created by the Russian hacking group Fancy Bear who appear to be in collusion with the Russian government. Accordingly, any industry is at risk from unkillable malware due to the lack of stability this can bring to an economy. At present, the only real advice for infections with LoJax is to wipe/replace the hard drive and carry out a complete reflash of the motherboard hardware. Even then there remains a risk that LoJax will remain on the PC and the simplest solution is to replace the entire system and start from scratch.

LoJax infections remain relatively rare, but the more pressing concern is that unkillable malware is being developed and released into the wild. This points to a future where increased security is more important than ever, so ensuring your organization adheres to best security practices is vital.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Category Archives: Russian Hackers

The Unkillable LoJax

Are You Safe from LoJax?