UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command-and-control servers from Pyongyang.

Source: DC Studio via Shutterstock

An ongoing investigation into recent attacks by North Korea's Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign's command-and-control (C2) infrastructure.

The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found.

**Elaborate Operational Security**

Though the threat actor has implemented elaborate operational security measures to try and evade attribution, SecurityScorecard said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence.

"\[The\] analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide," SecurityScorecard said in a report this week. "The campaigns resulted in hundreds of victims downloading and executing the payloads, while, in the background, the exfiltrated data was being siphoned back to Pyongyang."

SecurityScorecard discovered "Phantom Circuit," the name by which it is tracking Lazarus group's newly discovered admin layer, while conducting followup investigations involving "Operation 99," a malicious campaign that it recently uncovered targeting the cryptocurrency industry and developers globally. In the campaign, members of the threat group have been posing as recruiters on LinkedIn and other online job forums to get software developers to engage in spurious project tests and code reviews.

Victims who fall for the scam are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus group's C2 infrastructure, which the threat actor has then been using to sneak data-stealing malware into the victim's environment. As part of the campaign, Lazarus group actors have been inserting obfuscated backdoors into legitimate software products — including authentication apps and cryptocurrency software — and trying to trick developers into running them in their environments. SecurityScorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korean threat actor's latest campaign.

**Dual Motivations**

"The motivation is twofold: cryptocurrency theft and infiltration of corporate networks," Ryan Sherstobitoff, senior vice president of threat intelligence at SecurityScorecard says. More often than not, developers who fall victim to Lazarus group lures end up executing the cloned code on their corporate devices and in their work environments. "The payloads are designed to exfiltrate development secrets," he says.

SecurityScorecard uncovered the Phantom Circuit admin layer when trying to understand how Lazarus actors were managing the information they stole via Operation 99. What the company discovered was Lazarus members using what it described as a sophisticated network of Astrill VPNs and proxies to access Operation 99's C2 infrastructure in a highly concealed manner. Astrill, which has VPN servers in 142 cities and 56 countries, has a reputation for allowing users to browse the Web anonymously and bypass Internet restrictions in countries with heavy censorship.

SecurityScorecard researchers found Lazarus members using Astrill VPNs to connect to an intermediate proxy network registered with a freight company in Hasan, Russia. They then used the proxy network to connect to Operation 99's C2 infrastructure in an elaborate attempt to try and hide their tracks. The C2 servers themselves were hosted on infrastructure registered with a most likely fictional "Stark Industries, LLC."

"\[SecurityScorecard\] assesses with high confidence that the IPs used to connect to the C2s were merely a relay/proxy and used to obfuscate the true origin," the company wrote in its report this week. "The adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from." SecureScorecard said it was able to identify a total of six distinct IP addresses in Pyongyang that the threat actor used to initiate the Astrill VPN connections to Operation 99's C2 network.

"Phantom Circuit \[is the\] operational network behind the scenes that leads directly back to Pyongyang," Sherstobitoff says. It is also the same proxy network, he adds, that Lazarus used in another campaign where members used stolen identities to impersonate IT workers to try and secure jobs at organizations they wanted to infiltrate.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Researchers Uncover Lazarus Group Admin Layer for C2 Servers

China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database.

The Chinese generative artificial intelligence platform DeepSeek has had a meteoric rise this week, stoking rivalries and generating market pressure for United States–based AI companies, which in turn has invited scrutiny of the service. Amid the hype, researchers from the cloud security firm Wiz published findings on Wednesday that show that DeepSeek left one of its critical databases exposed on the internet, leaking system logs, user prompt submissions, and even users’ API authentication tokens—totaling more than 1 million records—to anyone who came across the database.

DeepSeek is a relatively new company and has been virtually unreachable to press and other organizations this week. In turn, the company did not immediately respond to WIRED’s request for comment about the exposure. The Wiz researchers say that they themselves were unsure about how to disclose their findings to the company and simply sent information about the discovery on Wednesday to every DeepSeek email address and LinkedIn profile they could find or guess. The researchers have yet to receive a reply, but within a half hour of their mass contact attempt, the database they found was locked down and became inaccessible to unauthorized users. It is unclear whether any malicious actors or authorized parties accessed or downloaded any of the data.

“The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high,” Ami Luttwak, the CTO of Wiz tells WIRED. “I would say that it means that the service is not mature to be used with any sensitive data at all.”

Exposed databases that are accessible to anyone on the open internet are a long-standing problem that institutions and cloud providers have slowly worked to address. But the Wiz researchers note that the DeepSeek database they found was visible almost immediately with minimal scanning or probing.

“Usually when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” says Nir Ohfeld, the head of vulnerability research at Wiz. But this time, “here it was at the front door.” Ohfeld adds that the “technical difficulty of this vulnerability is the bare minimum.”

The researchers say that the trove they found appears to have been a type of open source database typically used for server analytics called a ClickHouse database. And the exposed information supported this, given that there were log files that contained the routes or paths users had taken through DeepSeek’s systems, the users’ prompts and other interactions with the service, and the API keys they had used to authenticate. The prompts the researchers saw were all in Chinese, but they note that it is possible the database also contained prompts in other languages. The researchers say they did the absolute minimum assessment needed to confirm their findings without unnecessarily compromising user privacy, but they speculate that it may even have been possible for a malicious actor to use such deep access to the database to move laterally into other DeepSeek systems and execute code in other parts of the company’s infrastructure.

“It's pretty shocking to build an AI model and leave the backdoor wide open from a security perspective,” says independent security researcher Jeremiah Fowler, who was not involved in the Wiz research but specializes in discovering exposed databases. “This type of operational data and the ability for anyone with an internet connection to access it and then manipulate it is a major risk to the organization and users.”

DeepSeek’s systems are seemingly designed to be very similar to OpenAI’s, the researchers told WIRED on Wednesday, perhaps to make it easier for new customers to transition to using DeepSeek without difficulty. The entire DeepSeek infrastructure appears to mimic OpenAI’s, they say, down to details like the format of the API keys.

The Wiz researchers say they don’t know if anyone else found the exposed database before they did, but it wouldn’t be surprising, given how simple it was to discover. Fowler, the independent researcher, also notes that the vulnerable database would have “definitely” been found quickly—if it wasn’t already—whether by other researchers or bad actors.

“I think this is a wake-up call for the wave of AI products and services we will see in the near future and how seriously they take cybersecurity,” he says.

DeepSeek has made a global impact over the past week, with millions of people flocking to the service and pushing it to the top of Apple’s and Google’s app stores. The resulting shock waves have wiped billions from the stock prices of US-based AI companies and spooked executives at firms across the country. On Wednesday, sources at OpenAI told the Financial Times that it was looking into DeepSeek’s alleged use of ChatGPT outputs to train its models.

At the same time, DeepSeek has increasingly drawn the attention of lawmakers and regulators around the world, who have started to ask questions about the company’s privacy policies, the impact of its censorship, and whether its Chinese ownership provides national security concerns.

Italy’s data protection regulator sent DeepSeek a series of questions asking about where it obtained its training data, if people’s personal information was included in this, and the firm’s legal grounding for using this information. As WIRED Italy reported, the DeepSeek app appeared to be unavailable to download within the country following the questions being sent.

DeepSeek’s Chinese connections also appear to be raising security concerns. At the end of last week, according to CNBC reporting, the US Navy issued an alert to its personnel warning them not to use DeepSeek’s services “in any capacity.” The email said Navy members of staff should not download, install, or use the model, and raised concerns of “potential security and ethical” issues.

However, despite the hype, the exposed data shows that almost all technologies relying on cloud-hosted databases can be vulnerable through simple security lapses. “AI is the new frontier in everything related to technology and cybersecurity,” Wiz’s Ohfeld says, “and still we see the same old vulnerabilities like databases left open on the internet.”

Exposed DeepSeek Database Revealed Chat Prompts and Internal Data

VulnCheck initially disclosed the critical command-injection vulnerability (CVE-2024-40891) six months ago, but Zyxel has yet to mention its existence or offer users a patch to mitigate threats.

Source: Timon Schneider via Alamy Stock Photo

NEWS BRIEF

A command-injection vulnerability in Zyxel CPE Series devices is being targeted by threat actors, and there's no patch available.

The bug, tracked as CVE-2024-40891, was first discovered by VulnCheck, a vulnerability intelligence firm, and disclosed to the vendor last July. Half a year later, Zyxel has yet to fix or even mention the vulnerability.

If successfully exploited, CVE-2024-40891 could allow threat actors to execute arbitrary commands on infected devices, ultimately potentially leading to system compromise, network infiltration, and data leaks, according to VulnCheck.

Researchers at GreyNoise meanwhile have been coordinating with the researchers at VulnCheck regarding exploitation of the vulnerability, and decided to disclose it publicly this week due to the "large number of attacks" they have been observing.

They also noted that CVE-2024-40891 is very similar to a known issue tracked as CVE-2024-40890, with the primary difference between the two being one is telnet-based and the other HTTP-based. Both, however, allow unauthenticated attackers to execute arbitrary commands using service accounts, whether in the "supervisor" or "zyuser" roles.

The lack of a patch could be a significant issue: Censys is reporting more than 1,500 vulnerable devices online, and it looks like some botnet operators have built exploits for the bug into their code, according to GreyNoise.

"After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains," the researchers noted.

Since there is no current fix, GreyNoise recommended that users filter traffic for unusual requests to Zyxel CPE management interfaces, monitor Zyxel's security updates to be aware if a patch is made available, restrict administrative interface access to trusted IPs, and disable unused remote management features.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Yet another spinoff of the infamous DDoS botnet is exploiting a known vulnerability in active attacks, while its threat actors are promoting it on Telegram for other attackers to use as well, in a DDoS-as-a-service model.

Source: Kirill Ivanov via Alamy Stock Photo

Yet another Mirai botnet variant is making the rounds, this time offering distributed denial-of-service (DDoS) as-a-service by exploiting flaws in Mitel SIP phones. It also features a unique capability to communicate with attacker command-and-control (C2).

Researchers at the Akamai Security Intelligence and Response Team (SIRT) identified the variant of the infamous botnet, dubbed Aquabot, that actively exploits CVE-2024-41710, a command-injection vulnerability that affects various Mitel models that are used in corporate environments, they revealed in a blog post published Jan. 29. The vulnerability relies on an input sanitization flaw, and exploitation can lead to root access of the device, SIRT researchers Kyle Lefton and Larry Cashdollar wrote in the post.

The variant is the third version of Aquabot (Akamai calls it Aquabotv3) to appear on the scene; the first version was built off the Mirai framework with the ultimate goal of DDoS, discovered in November 2023, and it was first reported by Antiy Labs. The second version of the bot "tacked on concealment and persistence mechanisms, such as preventing device shutdown and restart" that remain present in v3, the researchers wrote.

The new variant is distinct from the previous versions for a couple of reasons, the researchers said. One is a unique feature appearing first in Aquabotv3: a function named "report\_kill" that reports back to the C2 when a kill signal is caught on the infected device. So far, however, researchers have not seen any response to the function from the attacker C2.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Another notable aspect of v3 of Aquabot is that the threat actors behind it have been advertising the botnet as DDoS as-a-service through platforms such as Telegram. The bot is advertised under several different names — including Cursinq Firewall, The Eye Services, and The Eye Botnet — offering Layer 4 and Layer 7 DDoS, the researchers noted.

**Active Exploitation of Mitel Phone Security Flaw**

Akamai SIRT detected exploit attempts targeting CVE-2024-41710 through its global network of honeypots in early January using a payload almost identical to a proof-of-concept (PoC) developed and released on GitHub in mid-August by Packetlabs' researcher Kyle Burns.

Burns discovered that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, with multiple endpoints vulnerable to the flaw. His PoC demonstrated that an attacker could smuggle in entries otherwise blocked by the application's sanitization checks by sending a specially crafted HTTP POST request.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

The exploitation activity that Akamai SIRT observed delivered a payload that attempts to fetch and execute a shell script called :bin.sh, which will in turn fetch and execute Mirai malware on the target system, the researchers wrote. The malware has support for a variety of different architectures, including x86 and ARM.

"Based on our analysis of the malware samples, we determined that this is a version of the Aquabot Mirai variant," specifically the latest evolution of the malware, Aquabotv3, the researchers wrote in the post.

In addition to being used in DDoS attacks, threat actors also are hawking Aquabot for DDoS-as-a-service, though they are trying to disguise the activity as "purely testing" for DDoS mitigation. However, the same domain featured in the ad promoting testing is actively spreading Mirai malware, the researchers noted.

"Threat actors will claim it's just a \[proof of concept\] or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram," they wrote in the post.

**Mirai Botnet Remains Key Conduit for DDoS**

As the majority of botnets responsible for DDoS attacks are based on Mirai, "they predominantly target Internet of Things (IoT) devices, which makes spreading the malware relatively easy to do," the researchers noted in the post. Indeed, a recent wave of global DDoS attacks were attributed to Mirai botnet spinoffs, demonstrating that attackers aiming to leverage Mirai show no signs of slowing down.

Related:Apple Patches Actively Exploited Zero-Day Vulnerability

That's likely because "the \[return on investment\] of Mirai for an aspiring botnet author is high," because it's not only one of the most successful botnet families in the world, it's also one of the more simple ones to modify, the researchers noted.

Moreover, many IoT devices often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers, making them low-hanging fruit for Mirai and its variants, the researchers wrote.

No matter what an attacker's intentions are, the researchers recommended that organizations take action to secure IoT devices through discovery or changing default credentials to protect against DDoS threats.

"Many of these botnets rely on common password libraries for authentication," they wrote in the post. "Find out where your known IoT devices are, and check for rogue ones, too. Check the login credentials and change them if they are default or easy to guess."

Akamai SIRT also included a list of indicators of compromise (IoCs) as well as Snort and Yara rules in the post to aid defenders.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   
These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications

Wednesday, January 29, 2025 11:45

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Observium Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

*   TALOS-2024-2090 (CVE-2024-47140) 
*   TALOS-2024-2091 (CVE-2024-47002) 
*   TALOS-2024-2092 (CVE-2024-45061) 

**Offis Vulnerabilities  **

_Discovered by Emmanuel Tacheau._   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

**Whatsup Gold Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request.

Whatsup Gold, Observium and Offis vulnerabilities

Atomwaffen Division cofounder and alleged Terrorgram Collective member Brandon Russell is facing a potential 20-year sentence for an alleged plot on a Baltimore electrical station. His case is only the beginning.

Brandon Russell, arguably one of the most influential figures in the American neofascist revival of the past decade, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war.

The 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization that was responsible for five homicides and a number of bomb plots before the FBI dismantled it in 2020, Russell was arrested by federal agents in February 2023 along with his girlfriend, Sarah Clendaniel. If convicted of his charges of conspiring to destroy an energy facility, Russell could face 20 years behind bars thanks to a prior conviction and the potential penalty for his current charges.

Russell’s case represents one of the last gasps of the Biden administration’s hard-charging approach to tackling violent far-right extremism that is all but guaranteed to change during US president Donald Trump’s second term in office. It also offers a unique look inside federal law enforcement’s investigation into an insidious accelerationist propaganda network that mixes neo-Nazi ideology with nihilist, Columbine-style violence to inspire mass casualty events in the United States and beyond.

Russell allegedly hatched the plot to black out Baltimore while, according to prosecutors, participating in a noxious, prolific propaganda network hellbent on fomenting violence and chaos. The Terrorgram Collective, which took its name following a massive influx of neo-Nazis to Telegram at the end of the last decade, ran several channels on the messaging​​ app and developed a series of “how-to” domestic terrorism manuals that sought to inspire disaffected young men and women into committing mass casualty events. Terrorgram is currently designated a “tier one” extremism threat by the US Department of Justice.

To date, Terrorgram has released four publications—a blend of ideological motivation, mass-murder worship, neofascist indoctrination, and how-to manuals for chemical weapons attacks, infrastructure sabotage, and ethnic cleansing. Court records indicate there are at least three unreleased Terrorgram Collective compendiums, including “The Saint Encyclopedia” of the far-right mass killers they venerate, including Anders Breivik, Brenton Tarrant, and Timothy McVeigh; and “The List,” a collection of politicians, government officials, business leaders, journalists, activists, and other people deemed legitimate assassination targets.

The screeds appear to have directly inspired a series of ideologically motivated attacks around the world, including a 2022 mass shooting at an LGBTQ bar in Bratislava, Slovakia, successful attacks on power infrastructure in North Carolina and similar failed plots in Baltimore and New Jersey, and a stabbing spree in the Turkish city of Eskisehir. There are currently more than a dozen separate federal prosecutions around the United States that involve people alleged to be core Terrorgram Collective members or individuals allegedly inspired toward violent attacks on infrastructure or civilians.

In one of the Biden administration’s last policy moves against right-wing extremism, on January 13, the State Department formally classified the Terrorgram Collective as a Foreign Terrorist Organization, a listing usually reserved for militant groups that hold territory and have a formal real-world paramilitary structure as opposed to a loose propaganda network that seeks to inspire mass casualty events. While it is not unique—the British Home Office formally proscribed Terrorgram as an extremist organization last May, and Russell’s Atomwaffen Division was banned by the UK, Australia, and Canada—it is likely to be the last such action taken toward neo-Nazi groups by the United States government for the foreseeable future.

The Trump administration appears to be engaged in a wholesale shift away from violent far-right extremism, best illustrated by the unprecedented pardons given to more than 1,500 individuals charged or convicted of crimes during the failed insurrection of January 6, 2021, as well as the reassignment of senior Justice Department attorneys in the National Security Division.

In a set of pretrial hearings and motions over the limits of evidence in Russell’s trial, federal prosecutors convinced US District Court judge James K. Bredar to allow in evidence of Russell’s deep neo-Nazi indoctrination, including background about his founding role in the Atomwaffen Division. Russell’s alleged involvement in the Terrorgram Collective is bolstered by a pendant allegedly recovered by FBI agents in a search of his home after his February 2023 arrest: The necklace is made of swastika-bearing beads that contains a larger golden swastika pendant with “Terrorgram” inscribed along the side.

The court is taking extra precautions as the US attempts to convict Russell. Journalists’ use of phones and laptops in the courtroom is forbidden, and the judge granted some witnesses permission to testify anonymously over fears of retaliation by Russell's compatriots, some of whom have indicated in Terrorgram chats cited in court filings that they have sought to identify informants and agents involved in their cases. Clendaniel, Russell’s girlfriend, pleaded guilty in May and was later sentenced to 18 years in federal prison. It is unclear whether she will be one of the witnesses testifying against Russell.

The prosecution of Russell also offers insight to how American law enforcement and intelligence agencies collaborate with their foreign counterparts to combat the transnational far-right milieu that spawned the Terrorgram Collective.

In an unusual alliance over the past two years, lawyers from the American Civil Liberties Union’s National Security Project weighed in on Russell’s behalf during pretrial motions in an effort to reveal evidence of warrantless surveillance of the fascist figurehead by either the National Security Agency or its counterparts. Although Judge Bredar ultimately denied the ACLU’s efforts on the grounds that the material was classified, the government’s response spoke volumes about the intelligence community’s role in surveilling Russell. American intelligence documents reviewed by WIRED show the Five Eyes alliance of American, Canadian, British, Australian and New Zealander intelligence agencies were keeping tabs on the Terrorgram Collective as far back as 2021.

The presence of Terrorgram Collective members in Croatia, Denmark, Slovakia, South Africa, Canada, and elsewhere overseas, coupled with the State Department’s designation of the propaganda network as a foreign terrorist organization, also point to additional reasons the group would be subjected to the highest level of official surveillance.

Russell was on court supervision when he was picked up for the Baltimore plot nearly two years ago. In 2018, he was convicted on federal charges for possession of homemade hexamethylene triperoxide diamine, a highly unstable compound. He served a little over three years in prison and was released in August 2021. Russell’s arrest, in 2017, on illegal explosives charges, stemmed from a macabre internecine squabble within the Atomwaffen Division and a double homicide at the Tampa, Florida, apartment Russell shared with three other extremist comrades.

_Updated 7:35 am EST, January 29, 2025: Corrected the maximum sentence Russell could receive if convicted._

The Trial at the Tip of the Terrorgram Iceberg

The impetus for CrowdStrike's new professional services came from last year's Famous Chollima threat actors, which used fake IT workers to infiltrate organizations and steal data.

Source: Andrea Danti via Shutterstock

When CrowdStrike alerted 200 customers last summer that its OverWatch managed threat-hunting service discovered endpoint telemetry indicating that the company might have at least one fake IT employee working for it, many were initially doubtful that they were among those affected.

Upon further investigation, though, it turned out that 40% of them were victims of a North Korean APT group that recruits people to apply for open tech jobs and, when hired, use their network access to deploy malware and steal data. The spike in activity by the group, known as Famous Chollima, was the impetus for last week's launch of CrowdStrike's Insider Risk Service, a set of professional services for detecting rogue IT workers and improving hiring practices.

Famous Chollima — threat actors from North Korea — used rogue IT workers to infiltrate over 300 companies, according to a May announcement by the US Department of Justice. Several perpetrators were charged with allegedly defrauding US companies using online job sites and payment platforms with locally hosted proxy computers. Victims discovered malicious IT employees installed malware, notably BeaverTail or InvisibleFerret, or exfiltrated data.

According to the Justice Department, it was the largest criminal act using IT workers, resulting in an estimated $6.8 million in losses.

"I think it's significantly higher than $6.8 million; I would say it's on the order of tens of millions of dollars," Adam Meyers, CrowdStrike's senior VP for counter adversary operations, told attendees at the company's annual Fal.Con customer event in September.

**Customers Initially Dubious**

CrowdStrike's chief global services officer, Thomas Etheridge, recalls customers' initial skepticism that they may have unwittingly hired fake IT workers.

"We had many organizations that absolutely said, 'Thank you, but we don't have that problem,' and then they later reached back out to us and said, 'We realize you were absolutely spot on,'" Etheridge tells Dark Reading.

According to 467 cybersecurity professionals surveyed for Securonix's "2024 Insider Threat Report," insider attacks rose from 66% of organizations in 2019 to 76% last year. Moreover, 90% said insider attacks are equally or more challenging to discover than external attacks.

CrowdStrike cites research from the Ponemon Institute, which found that 71% of organizations experienced between 21 and 41 insider incidents in 2023 — up from 67% over the previous year. The report also found that the annual cost of insider threats averaged $16.2 million per organization.

Data from 1,542 security decision-makers responding to Forrester Research's 2024 Security Survey indicated that 23% of data breaches resulted from internal incidents. Joseph Blankenship, VP and research director for Forrester's Security & Risk practice, says addressing insider risk is more complex than external threats.

"It's difficult to discern normal insider behavior from potentially malicious or accidentally harmful behavior," Blankenship says. "Insider risk services help to test the technology and processes organizations use to detect and respond to insider incidents."

**CrowdStrike's New Services Portfolio**

CrowdStrike's Insider Risk Service provides assessments to determine overall security gaps that enable both malicious and unintentional internal threats and HR hiring processes.

"We have some really rich telemetry around identity, around what threat actors are doing and the tooling they're using to remain persistent and undetectable in an environment, and we use those same techniques and tools to uncover insider activity," Etheridge says. "Putting a lot of these things together and bringing the people and process aspect to it really can help an organization up level and mature their insider-risk program."

The offering consists of a program in which CrowdStrike's consultants examine an organization's approach to insider risk and perform technical reviews to discover gaps and recommend improvements. The services also include tabletop exercises and red team simulations to test what defenses are in place and explore ways to discover vulnerabilities.

Not surprisingly, the services rely on threat intelligence and telemetry gathered from CrowdStrike's flagship Falcon platform and its OverWatch 24x7 threat-hunting service team. While major IT consulting firms like Accenture, EY, and smaller service providers offer risk assessment services, Etheridge touts CrowdStrike's platform as an advantage.

"These organizations are coming to us because we have a lot of the telemetry that they would need to understand the difference between normal activity occurring in the organization and non-normal activity," Etheridge says.

Meanwhile, activity from Famous Chollima is off from last year's peak, though Etheridge expects variations in this insider threat type to continue.

"It's not out of the realm of possibilities for other threat actors to try to either mimic or come up with another creative way to try to infiltrate companies," he says.

Forrester's Blankenship agrees.

"I believe threat actors like Famous Chollima will continue to be a risk," he says. "Without measures in place to confirm the identities of employees and contractors, organizations will continue to be vulnerable to threat actors posing as legitimate workers. Ongoing monitoring for suspicious insider behavior is also necessary to detect these threat actors."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Highlights Magnitude of Insider Risk

Concerns include everything from ransomware, malware, and phishing attacks on the game's infrastructure to those targeting event sponsors and fans.

Source: Steve Cukrov via Shutterstock

Sporting events like the upcoming Super Bowl LIX in New Orleans are prime targets for cyberattacks due to their massive audiences, extensive digital infrastructure, and the potential for high financial and reputational impact. Experts say organizers should be prepared for an onslaught of attacks leading up to and on game day, which is Feb. 9 this year.

Securing such events can be particularly challenging due to the vast array of potential attack surfaces, including ticketing systems, livestreaming platforms, in-stadium Internet of Things (IoT) devices, and valuable fan data. The New Year's Day terrorist attack in the city has only added to the concerns, and has prompted greater physical security measures in the form of increased surveillance, a significantly larger police presence than initially planned, and the use of drones and extra cameras to monitor for threats.

**High-Stakes Cybersecurity Playbook for the Big Game**

James DeMeo, faculty member with Tulane University's School of Professional Advancement, is an expert in sport event security, facilities, and venue risk assessment. The Super Bowl, he reminds, is a mega event that the Department of Homeland Security has designated as a Special Event Assessment Rating 1 (SEAR 1), which is the highest rating from a threat assessment standpoint. Following the Jan. 1 vehicle ramming incident in New Orleans' French Quarter, event security concerns are sure to have only heightened, he says.

The top cybersecurity concerns will include those around ransomware, malware, and phishing threats directed at critical infrastructure for the games and communication networks. "Command center controls will be tasked with averting bad actors from infiltrating CCTV, access controls, and wireless networks while ensuring a seamless fan experience," DeMeo says.

Other focus areas for the security team at the Super Bowl will include protecting fan payment data and monitoring social media networks for signs of potential physical threat activity. "Law enforcement will be sharing relative and timely information with governmental stakeholders like the JTTF and the Secret Service," DeMeo says. Expect the DHS to monitor posts on social media platforms in real time before and during the games for conversations that indicate a threat to the event.

DeMeo expects drones will play a key role on the physical security side of things as well. "Drones are an effective risk mitigation tool for key Super Bowl security stakeholders," he says. "This technology can be implemented for properly monitoring crowds, crowd management, crowd ingress/egress, and reconnaissance for potential nefarious bad actors on the exterior perimeters of the venue."  

Additionally, such technologies as biometrics and iris scans can be utilized as an effective risk mitigation tool by event security leads, he says.

**A Collaborative Defensive Effort**

Mike Storm, distinguished engineer at Cisco, says preparation for an event like the Super Bowl actually begins years in advance, with collaboration between a number of entities, including the host venue, the local city, a wide network of tech vendors, and government entities like the FBI. "In the years, months and weeks leading up to the event, the cross-functional team engages in a wide variety of scenario and role-playing exercises so that should any issues arise during the event, responses are swift, coordinated, and ideally resolve the problem before it can impact the game or the fan experience."

As the primary network provider for the Super Bowl, Cisco has partnered with the NFL in a collaborative approach to manage threats to the game. "This playbook," he says, "is built on a few core attributes that are essential to successfully protecting an event of this magnitude — simplicity, visibility, reliability, and protection." As part of the effort, Cisco has deployed a range of technologies to secure the game network, including Cisco Secure Firewall, Cisco Umbrella, Cisco Security Malware Analytics, Cisco XDR with Meraki, and Splunk Enterprise.

The NFL is also tapping Cisco's Talos threat intelligence service for real-time intelligence pertinent to the event. The goal is to safeguard game day operations and respond to potential threats during the event to prevent disruptions, Storm says. "When it comes to large sporting events, we are looking for all types of attacks, at volume," he says. Many attacks are often focused on trying to degrade the experience of fans or on the misuse of data of viewers, guests, or participants of the game. "These events are targeted by a variety of different actors, which can include ideologically or politically motivated hacktivists and state-sponsored threat actors." These actors employ a variety of tactics, which can include targeting sponsors to disrupt the game or misusing branding to lure viewers to click something on something malicious.  

Storm points to the rising use of artificial intelligence as impacting Cisco's approach to protecting high-profile events like the Super Bowl. For instance, it adds complexity, he says: "The stakes of something going wrong with AI are incredibly high. On the other hand, it unlocks opportunities for faster, smarter security."

**The Threat from Unmonitored Service Accounts & APIs**

Meanwhile. the proliferation of automated systems and services like "just walk out" payment methods and frictionless checkout systems at events like the Super Bowl present a new attack vector that security teams need to guard against. The growing digitization has enabled faster retail transactions and a host of other benefits for fans. But it also led to an explosion of non-human identities (NHIs) and shared multiuse service accounts, APIs, tokens, and access keys that are often poorly monitored or completely unmonitored, says Tim Eades, CEO and co-founder of Anetac.

"Anetac's research indicates that large-scale events like the Super Bowl represent a perfect storm for NHI vulnerabilities," Eades says. "The combination of reliance on automated systems, rapid deployment, and the expansive network of NHIs required to support modern stadiums \[has\] significantly \[increased\] the attack surface," at events like the Super Bowl.

Eades perceives the targeting of NHIs as presenting a threat for event organizers in New Orleans and remote locations, "Bad actors recognize that automated accounts are gateways to critical infrastructure and sensitive data such as customer information, employee data, and more," he says. Securing such accounts, Eades notes, is important because they enable attackers to potentially gain control over stadium systems, from payment processing to manipulating environmental controls and emergency systems.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Super Bowl LIX Could Be a Magnet for Cyberattacks

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility…

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility of selling to access rather than selling data.

**IntelBroker**, a notorious hacker linked to prior high-profile cyberattacks, has announced an alleged new data breach of Hewlett-Packard Enterprise (HPE). The hacker claims to have accessed and cloned new data from HPE’s repositories.

Although the claimed data is 500 MB in size, a relatively smaller size than usual, screenshots shared exclusively with Hackread.com provide insights into what looks like the compromised infrastructure, revealing exposed credentials, internal configurations, and proprietary source code.

This latest breach is the second time IntelBroker has targeted Hewlett Packard Enterprise. In January 2025, as **reported by Hackread.com**, IntelBroker publicly claimed responsibility for compromising HPE’s infrastructure in an earlier attack. That breach, disclosed via Breach Forums and in an exclusive conversation with Hackread.com, involved a substantial exfiltration of sensitive data.

****Latest Claims****

A quick analysis of the data tree and internal screenshots seen by Hackread.com points out at possible extraction of some sensitive data including private keys and certificates, proprietary source code for HPE products, including iLO and Zerto systems, Internal Git repositories and Docker builds.

Additionally, the data tree shows that hackers also allegedly managed to access exposed infrastructure configurations including internal services and endpoints, such as SignonService and Salesforce integrations, Internal DNS and deployment pipelines for microservices, MongoDB credentials, QIDs integrations and more.

Screenshots provided to Hackread.com by IntelBroker

****Plans to Sell Access****

In the first alleged HPE breach, IntelBroker offered the stolen data for sale, demanding payment in Monero cryptocurrency to stay anonymous. This time, however, the hacker claims they plan to release the entire data set for free and sell the access.

> _“I am not sure about selling the data, maybe I will just leak it for free this time, I don’t know yet but my team could be selling the access we have to HPE infrastructure, to interested parties.”_
> 
> IntelBroker told Hackread.com.

Nevertheless, the claims of the new HPE data breach show the urgency for organizations to secure their infrastructure, regularly audit access controls, and monitor for suspicious activity. If validated, this breach represents a major incident for HPE, with long-term implications for their operations and customer trust.

****HPE is NOT HP Inc.****

Hewlett-Packard Enterprise (HPE) and HP Inc. are two separate entities that originated from the **split** of Hewlett-Packard in 2015. HPE focuses on enterprise-level IT solutions, including servers, storage, networking, cloud computing, and software services tailored for businesses.

In contrast, HP Inc. specializes in personal computing devices and printers, targeting consumers and small businesses. While they share a common origin, their operations and focus areas are entirely different.

Hackread.com has reached out to HPE for a statement. Any response from the company will be added to this article as soon as it is received. Stay tuned for updates!

1.  **Hacker Leak Over 10,000 DELL Employee Details**
2.  **Acer Data Breach: Hacker Sells 160GB of Stolen Data**
3.  **Dell Discloses Data Breach As Hacker Sells 49M User Data**
4.  **3 Billion National Public Data Records with SSNs Dumped Online**
5.  **Trello Data Breach: Hacker Dumps Personal Info of Millions of Users**

Tag

#intel