{"id":222806,"date":"2022-03-08T10:00:31","date_gmt":"2022-03-08T09:00:31","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=222806"},"modified":"2022-03-08T10:00:31","modified_gmt":"2022-03-08T09:00:31","slug":"ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/","title":{"rendered":"Ukraine: Intrusion set involved in the Russian-Ukrainian conflict"},"content":{"rendered":"<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-context\">Context<\/h2>\n\n\n\n<p>Numerous clashes have continued in the country over the past week, with Ukrainian armed forces resisting, while the Russian army officially seized the cities of Melitopol and Kherson, before announcing the expansion of its offensive against Ukraine despite a growing international outcry. On Sunday, February 27, Vladimir Putin ordered his army chiefs to put Russia&#039;s nuclear deterrent on high alert, in response to what he said were aggressive statements by NATO and EU countries and economic sanctions against Moscow.<\/p>\n\n\n\n<p>While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine&#039;s infrastructure, as well as responses targeting Russian assets, are being observed.<\/p>\n\n\n\n<p>Wiper payloads and DDoS attacks constitute major component of the conflict in the cyber sphere, with several spear-phishing campaigns and <a href=\"https:\/\/www.intrinsec.com\/en\/malware-wav\/\" target=\"_blank\" rel=\"noreferrer noopener\">malware<\/a> packages associated to these campaigns being newly identified and analyzed by security researchers. Various state, criminal and hacktivist actors are involved on both sides of the conflict, with coalitions being created.<\/p>\n\n\n\n<p>Ukrainian and Russian targets are the first to be affected during this conflict, but allies on both sides \u2013 and by extension their assets \u2013 could be the next potential targets (as illustrated by a recently identified spear-phishing campaign targeting European government personnel assisting Ukrainian refugees).<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-description-chronology\">Description\/Chronology<\/h2>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color has-small-font-size\"><strong>October 2021<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Russian-linked group Gamaredon launches several attacks on Ukrainian organizations.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 14<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Ukrainian security service announces a wave of cyberattacks.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 15<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Ukrainian defense agency and two banks are victims of DDOS.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 19<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The White House and the British government attribute the DDOS attacks to the GRU.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 23<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>HermeticWiper campaign hits multiple Ukrainian organizations: Ministry of Defense, Ministry of Foreign Affairs and the Ministry of Internal Affairs. Large volume of telecom data is also stolen.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 24<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>IsaacWiper campaign targets Ukrainian governmental network.<\/li><li>Several Russian government sites go offline due to the suspected hacktivists&#039; cyberattack.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 25<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Massive spear-phishing campaign targets Ukrainian armed forces personnel and is linked to the Belarus cyberespionage group UNC1151.<\/li><li>Ukrainian border is hit by a wiper cyberattack that slows the process for Ukrainian refugees to cross into Romania.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 26<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The CISA issues an official alert on WhisperGate and HermeticWiper campaigns.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 27<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Hacktivists get increasingly involved: Ukrainian universities hacked by pro-Russian hacktivists and Anonymous breaches over 300 Russia-affiliated targets.<\/li><li>Ukraine recruits an army of cyber volunteers with the goal of attacking a specific list of Russian entities.<\/li><li>First Conti leaks are published.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>February 28<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>New cyberattacks against Ukrainian targets detected: malware package traced as \u201cFoxBlade\u201d is identified.<\/li><li>Facebook detects two attack campaigns against Ukrainian targets using its network, and promptly blocks the associated accounts.<\/li><li>Satellite internet provider KA-SAT victim of a cyberattack, apparently of Russian origin and affecting German wind farms and the French ISP NordNet.<\/li><li>The Anonymous deface websites of several Russian state news agencies.<\/li><li>New Conti leaks are published.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>March 1<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Spear-phishing campaign \u201cAsylum Ambuscade\u201d targets European government personnel aiding Ukrainian refugees and is attributed to UNC1151.<\/li><li>Wide <a href=\"https:\/\/www.intrinsec.com\/en\/threat-intelligence-fraude-paiements-en-ligne\/\" target=\"_blank\" rel=\"noreferrer noopener\">fraud<\/a> campaign targets Microsoft users with the lure of \u201cunusual sign-on activity from Russia\u201d.<\/li><li>New Conti leaks are published.<\/li><\/ul>\n\n\n\n<p class=\"has-vivid-purple-color has-text-color\"><strong>March 2<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>New phishing campaigns appear: sanctions-themed-emails targeting cryptocurrency marketplace credentials, humanitarian-aid-themed scams and advance-fee frauds.<\/li><li>\u201cID 5\u201d threat actor launches a DDoS attack against the Ukrainian Ministry of Defense.<\/li><li>Another hacktivist confrontation: the pro-Russian hacktivist group KillNet takes Anonymous&#039; servers offline.<\/li><li>New Conti leaks are published.<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-threat-actors-intrusion-sets-involved\">Threat actors\/Intrusion sets involved<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>Threat Actor\/Intrusion set<\/strong><\/td><td><strong>Kind<\/strong><\/td><td><strong>Support<\/strong><\/td><td><strong>Goals<\/strong><\/td><td><strong>Estimated risk<\/strong><\/td><\/tr><tr><td>AgainstTheWest<\/td><td>Criminal<\/td><td>Ukraine<\/td><td>Data breach\/encryption<\/td><td>Medium<\/td><\/tr><tr><td>Belarusian Cyber Partisans<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>Databreach<\/td><td>Low<\/td><\/tr><tr><td>Anonymous<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>GhostSec<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS\/databreach<\/td><td>Low to medium<\/td><\/tr><tr><td>IT Army of Ukraine<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>KelvinSecurity Hacking Team<\/td><td>Criminal<\/td><td>Ukraine<\/td><td>Databreach<\/td><td>Medium<\/td><\/tr><tr><td>BlackHawk<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>Anon Liberland &amp; PWN-BAR Hack Team<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS\/Databreach<\/td><td>Low<\/td><\/tr><tr><td>RaidForums admin<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>Netsec<\/td><td>Criminal<\/td><td>Russia\/Ukraine<\/td><td>Databreach<\/td><td>Low<\/td><\/tr><tr><td>Freecivilian<\/td><td>Hacktivist<\/td><td>Russia<\/td><td>Defacement\/Data Breach<\/td><td>Low<\/td><\/tr><tr><td>ComingProject<\/td><td>Criminal<\/td><td>Russia<\/td><td>Databreach<\/td><td>Low<\/td><\/tr><tr><td>Conti ransomware operators<\/td><td>Crime syndicate<\/td><td>Russia<\/td><td>Encryption<\/td><td>High<\/td><\/tr><tr><td>The Red Bandits<\/td><td>Criminal<\/td><td>Russia\/Ukraine<\/td><td>Data breach\/encryption<\/td><td>Low<\/td><\/tr><tr><td>GhostWriter\/UNC 1151<\/td><td>Nation-state<\/td><td>Russia<\/td><td>Espionage\/Sabotage<\/td><td>Medium to High<\/td><\/tr><tr><td>SandWorm Team<\/td><td>Nation-state<\/td><td>Russia<\/td><td>Espionage\/Sabotage<\/td><td>High<\/td><\/tr><tr><td>Gamaredon group<\/td><td>Nation-state<\/td><td>Russia<\/td><td>Espionage<\/td><td>High<\/td><\/tr><tr><td>GNG<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>NB65<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>SHDWSec<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>DeepNetAnon<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>Databreach<\/td><td>Low<\/td><\/tr><tr><td>FreeUkraineNow<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>N \/ A<\/td><td>Low<\/td><\/tr><tr><td>1LevelCrew<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>IT Army of Ukraine Psyops<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>N \/ A<\/td><td>Low<\/td><\/tr><tr><td>Stormous ransomware operators<\/td><td>Criminal<\/td><td>Russia<\/td><td>Encryption<\/td><td>Low<\/td><\/tr><tr><td>KillNet<\/td><td>Criminal<\/td><td>Russia<\/td><td>N \/ A<\/td><td>Low<\/td><\/tr><tr><td>Digital Cobra Gang<\/td><td>Hacktivist<\/td><td>Russia<\/td><td>N \/ A<\/td><td>Low<\/td><\/tr><tr><td>GhostClan<\/td><td>Criminal<\/td><td>Ukraine<\/td><td>DDoS\/databreach<\/td><td>Low<\/td><\/tr><tr><td>v0g3lSec<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>Databreach<\/td><td>Low<\/td><\/tr><tr><td>Hydra UG<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS\/databreach<\/td><td>Low<\/td><\/tr><tr><td>IT_G33ks<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>Espionage<\/td><td>Low<\/td><\/tr><tr><td>Xaknet<\/td><td>Criminal<\/td><td>Russia<\/td><td>DDoS\/databreach<\/td><td>Low<\/td><\/tr><tr><td>LiteMods<\/td><td>Hacktivist<\/td><td>Ukraine<\/td><td>DDoS<\/td><td>Low<\/td><\/tr><tr><td>GrenXPaRTa_9haan<\/td><td>Criminal<\/td><td>Ukraine<\/td><td>Databreach<\/td><td>Low<\/td><\/tr><tr><td>Unknown Threat Actors<\/td><td>Nation-state Hacktivist<\/td><td>Russia\/Ukraine<\/td><td>Sabotage<\/td><td>High<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Credits to Cyberknow for the regular update on all the threat actors involved: <a href=\"https:\/\/cyberknow.medium.com\/update-7-2022-russia-ukraine-war-cyber-group-tracker-march-6-7a4e40baa748\">https:\/\/cyberknow.medium.com\/update-7-2022-russia-ukraine-war-cyber-group-tracker-march-6-7a4e40baa748<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-targets\">Targets<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Banking institutions<\/li><li>Government and administrations<\/li><li>Defense industry<\/li><li>Financial organizations<\/li><li>Media and audiovisual<\/li><li>Gas<\/li><li>Oil<\/li><li>Nuclear power (civilian use)<\/li><li>Telecommunications<\/li><li>Rail transport<\/li><li>High-tech<\/li><li>Air transport<\/li><li>Agriculture and agribusiness<\/li><li>Internet Service providers<\/li><li>Citizens<\/li><li>Religious organizations<\/li><li>Electricity<\/li><li>Military personnel<\/li><li>Universities<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-attack-analysis\">Attack analysis<\/h3>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-ddos-and-defacement\">DDoS and defacement<\/h4>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/03\/2004.i109.002_hacker_fishing_digital_crime_isometric_icons-10-1024x1024.jpg\" alt=\"\" class=\"wp-image-222838\" width=\"271\" height=\"271\"\/><figcaption><em>Attacks against distributed networks are also known as Distributed Denial of Service (DDoS) attacks.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Risk level: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">low<\/mark><\/strong><\/p>\n\n\n\n<p>Threat actors listed above, considered as \u201chacktivists\u201d, are conducting reconnaissance phases on their targets before they deploy DDoS attacks. They often share publicly a list of targets through websites like Pastebin or AnonPaste. We have also identified some actors sharing pieces of code and scripts, inviting other members to conduct DDoS attacks on designated targets. Some groups even indicate their targets level of exposure by sharing Shodan information about vulnerable equipment. We have also identified actors sharing known tools like Reaper or GitHub hosted tools to help their community perform their own attacks. According to our observations, the level of sophistication and their capabilities to develop custom tools is quite low. Moreover, the impact of these attacks does not last long. Indeed, the \u201cinfrastructures\u201d used to launch this kind of attacks are usually self-hosted and not sophisticated. Cybersecurity researchers consider small group&#039;s DDoS attacks as \u201csymbolic actions\u201d.<\/p>\n\n\n\n<p>We observed that hacktivist groups claiming successful DDoS attacks shows their targets names on Social Media (mostly on Twitter and <a href=\"https:\/\/www.intrinsec.com\/en\/telegram-english\/\" target=\"_blank\" rel=\"noreferrer noopener\">Telegram<\/a>). Links to \u201cdown websites\u201d are published, sometimes with screenshots as \u201cproofs\u201d of compromise. For example threat actors from pro-Russian group called XakNet published a list of Ukrainian public \u201cgov.ua\u201d domains, claiming they manage to take them down (even though most of them remain up and running).<\/p>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\">We must emphasize that we are aware that VIASAT has been recently <a href=\"https:\/\/news.sky.com\/story\/satellite-giant-viasat-probes-suspected-broadband-cyberattack-amid-russia-fears-12554004\">\u00abexperiencing a partial network outage-impacting internet service for fixed broadband customers in Ukraine and elsewhere on our European KA-SAT network\u00bb<\/a>. A partial network outage-impacting internet service for fixed broadband customers in Ukraine and elsewhere on KA-SAT network has been confirmed as a cyberattack against VIASAT (although unattributed for the moment). The hypothesis of a DDoS attack is being discarded, as the clues point rather to a firmware attack.<\/p>\n\n\n\n<p><strong>Why the risk for French entities is assessed as low?<\/strong><\/p>\n\n\n\n<p>Although these threat actors are mostly targeting institutional and critical infrastructures websites, the impact of their DDoS attacks don&#039;t seem to be impactful. Based on the TTPs employed and the level of sophistication, we assess with confidence moderate, that the impact and the potential for lateral movement remain quite low.<\/p>\n\n\n\n<p>However, some hacktivists combine DDoS with network intrusions and data exfiltration. For example, organized group such as GhostSec, AgainsTheWest or KelvinSecTeam seems to be capable of hitting large organizations. For example, organized team AgainsTheWest was observed on RaidForums, selling sensitive information such as RDP or VPN access. Today, the group claims to be in possession of the Ministry of Agriculture and Food of Belarus&#039;s data.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-databreach\">Databreach<\/h4>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/03\/3845387-1024x1024.jpg\" alt=\"A\u00a0data breach\u00a0is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.\" class=\"wp-image-222839\" width=\"255\" height=\"255\"\/><figcaption><em>A&nbsp;<strong>data breach<\/strong>&nbsp;is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Risk level: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">medium<\/mark> to <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">high<\/mark><\/strong><\/p>\n\n\n\n<p>Since the beginning of the war in Ukraine, we have identified several criminals and activists&#039; actors specialized in the leak of sensitive information such as RDP, VPN access and database. At the moment, the majority of the targets are Ukrainian and Russian government institutions.<\/p>\n\n\n\n<p>For example, we have observed the activity of a threat actor called AgainsTheWest (ATW) in affiliation with BlueHornet (BH) group. Despite a name that could suggest a support for Russia, ATW targets in contrasting countries that they perceive as a threat against western societies, such as Russia, Belarus and China.<\/p>\n\n\n\n<p>On their Telegram channel, ATW claimed the compromise of several Russian and Belarus institutions like Russian Space Forces, the Ministry of Transport of Russia or the Russia Air. For a majority of successful hacks, ATW publishes a link to download the database. If ATW remains rather discreet about the techniques used to carry out their attacks, they still revealed on Telegram to use a \u201ccustom-made ransomware\u201d and a \u201cwiper malware to kill all network data and information stored on companies within the Russian federation\u201d. <a href=\"https:\/\/cyberknow.medium.com\/an-interview-with-againstthewest-b7aa1625fc4f\">According to an interview conducted by Cyberknow on Medium<\/a>, ATW is a team of at least 6 who operate out of Western Europe and at least one member of the team of 6 are from France and seem to have plans to target North Korea, Belarus and Iran in the future.<\/p>\n\n\n\n<p>In the same way, another group named KelvinSecurity seems to target Russian entities. Indeed, on Telegram, KelvinSecurityTeam also claims the compromise of Russian institutions or entities like the <em>Federal Agency For State Property Management<\/em> or the <em>Joint Institute for Nuclear Research<\/em>. As opposed to ATW, the KelvinSecurity team shares some tools on GitHub to its community in order to attack Russian companies.<\/p>\n\n\n\n<p>Finally, other groups like TheRedBanditsRU support the Russian government and target Ukrainian entities. These groups echo the official narrative by stating that they see Ukraine citizens as family.<\/p>\n\n\n\n<p><strong>Why the risk for French entities is assessed as medium to high?<\/strong><\/p>\n\n\n\n<p>Although these threat actors are mostly targeting Russian and Ukrainian institutions or companies, we assess with moderate confidence that the impact remains quite medium\/high.<\/p>\n\n\n\n<p>Indeed, many Russian companies are linked to European companies either through subsidiaries or partnerships. Thus, some databases can contain data about European customers. Moreover, all countries that support the sanctions against Russia are now potential cyber targets. Therefore, there is a high risk that data leakage attacks will increase in NATO member countries.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-ransomware\">Ransomware<\/h4>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/03\/2004.i109.002_hacker_fishing_digital_crime_isometric_icons-15-1024x1024.jpg\" alt=\"Ransomware\u00a0is malware that employs encryption to hold a victim's information at ransom.\" class=\"wp-image-222840\" width=\"276\" height=\"276\"\/><figcaption><em>Ransomware is malware that employs encryption to hold a victim&#039;s information at ransom<\/em>.<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Risk level: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">high<\/mark><\/strong><\/p>\n\n\n\n<p>On February 25, the ransomware group Conti published a message threatening to target the critical infrastructures of states that would go against Russia. However, shortly after displaying its pro-Russian stance, the group was itself hacked: the Twitter account @ContiLeaks has begun to publish regular leaks containing highly sensitive data belonging to the gang. The political motivation behind this hack is clear, although it remains unconfirmed whether the author of the leak is an external threat actor or a pro-Ukrainian member of the gang itself.<\/p>\n\n\n\n<p>These leaks include internal messages exchanged among the members of the gang (from jabber XMPP and RockerChat servers), raw data files, new TTPs and strategies of victim targeting, accesses to Conti storage servers, and, most notably, the ransomware source code itself (<a href=\"https:\/\/twitter.com\/fwosar\/status\/1498683300604522502?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498683300604522502%7Ctwgr%5E%7Ctwcon%5Es1_&amp;ref_url=https%3A%2F%2Fthreatpost.com%2Fconti-ransomware-decryptor-trickbot-source-code-leaked%2F178727%2F\">with a decryptor but that does not work for most recent versions<\/a>).<\/p>\n\n\n\n<p>While the incident illustrates the political divergence reigning within the ransomware gangs, it is to be noted that the loss of credibility of this scope, the Conti \u201cbrand\u201d may result in some of its affiliates leaving for other ransomware groups in the following months.<\/p>\n\n\n\n<p>For the moment, Conti remains the only group which had openly claimed its stance within the conflict, compared to the relative silence of other ransomware gangs, excluding the announcement of LockBit 2.0 which claimed to remain strictly apolitical in its activities.<\/p>\n\n\n\n<p><strong>Why is the risk for French entities assessed as high?<\/strong><strong><\/strong><\/p>\n\n\n\n<p>To be noted that whatever the political stance of the ransomware groups, this threat is not new and remains traditionally high for French entities, since the ransomware gangs represent sophisticated actors counting French companies among their victims. Although paralyzed, Conti specifically remains a major threat who, despite the leak, continues compromising and publishing on its website new victims.<\/p>\n\n\n\n<p><em>Note:<\/em> As far as <strong>Hermeticransom<\/strong> is concerned (mimicking a ransomware behavior while other systems are wipped) <a href=\"https:\/\/www.crowdstrike.com\/blog\/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine\/\">Crowdstrike<\/a> found a vulnerability in the encryption mechanism and share this finding with other AV\/EDR vendors, as such that <a href=\"https:\/\/decoded.avast.io\/threatresearch\/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware\/\">Avast<\/a> could quickly compile a more user friendly decryptor binary with a GUI.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-apt\">APT<\/h4>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/03\/2004.i109.002_hacker_fishing_digital_crime_isometric_icons-06-1024x1024.jpg\" alt=\"An Advanced Persistent Threat (APT) is a type of stealth and continuous hacking, targeting a specific entity\" class=\"wp-image-222842\" width=\"273\" height=\"273\"\/><figcaption><em>An Advanced Persistent Threat (APT) is a type of stealth and continuous hacking, targeting a specific entity<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Risk level: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">high<\/mark><\/strong><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-gamaredon-group\">Gamaredon Group<\/h5>\n\n\n\n<p>According to available information on Gamaredon group (aka Actinium or Shuckworm), this intrusion set is known to be active since at least 2013 and has been attributed to Russia. Gamaredon would have been involved in the conflict with Ukraine since potentially summer 2021. Analysis by Palo Alto, Microsoft and Symantec all point to cyber espionage activities conducted by the group for at least 6 months against Ukraine.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The first malicious activities were observed from July 14, 2021 to August 18 by Symantec and Microsoft indicates that it has identified an activity since October 2021<\/li><li>In each of the campaigns analyzed, the initial access vector seems to be the same: the attackers use spearphishing emails. In some cases, these emails embed a Word document that upon opening would execute a malicious VBS file. In other cases observed by Microsoft and Palo Alto, the emails downloads a document template remotely, which contains a macro that would then drop the malicious VBS script. The technique allows to bypass the defense systems that automatically scan attachments with macro. The emails in question impersonate legitimate organizations such as the World Health Organization in the case mentioned by Microsoft.<\/li><li>Gamaredon would obtain persistence via scheduled tasks.<\/li><li>The downloaded payloads would allow attackers to deploy tools known to be associated with the group such as the custom backdoor of the group named Pterodo (also known as Pteranodon). This would be used to deploy additional loads on the victim&#039;s computer such as variants of the backdoor or a VNC client communicating directly with the command and control server controlled by the attackers. Microsoft analysts have also observed other malicious binaries downloaded by the attackers: DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch. Analysis conducted on Pterodo backdoor revealed that it contains a binary called QuietSieve used for exfiltration and monitoring. QuietSieve would indeed be used to enumerate files on the host, take screenshots every 5 minutes and would also serve as a loader for other payloads.<\/li><li>Microsoft and Palo Alto also analyzed the infrastructure of the group, which was described as particularly volatile. Indeed, several hundred domains and IP addresses could be associated with the modus operandi, suggesting particularly frequent changes in their infrastructure over a short period of time. DNS records also change approximately once a day. In addition, most of the IP addresses were registered with a Russian registrar: ASN 197695 \u2013 REG.RU (joint observation by Microsoft and Palo Alto). Blocking IP addresses to prevent Gamaredon is therefore not very relevant and it is more interesting to focus on the ASN (197695), physically located in Russia.<\/li><\/ul>\n\n\n\n<p>Microsoft and Symantec state that they have not detected any information indicating a link between Gamaredon&#039;s activities and WhisperGate&#039;s or wiping operations. Various analyzes of the group&#039;s recent campaigns suggest that the intrusion set targeted Ukrainian government entities, as well as NGOs and law enforcement. Palo Alto says it has detected evidence of targeting the Ukrainian migration service. The group is believed to be operating out of Crimea with objectives consistent with cyber espionage. More generally, it seems that the group&#039;s objective was to target various critical actors that could intervene in an emergency context in Ukraine.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-sandworm-team\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\">Sandworm Team<\/mark><\/h5>\n\n\n\n<p>Sandworm Team is a destructive threat group that has been attributed to Russia&#039;s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.<\/p>\n\n\n\n<p>In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organization for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. A report by the ANSSI, published on February 15, 2021, attribute a campaign targeting Centreon servers, to Sandworm Team.<\/p>\n\n\n\n<p>On February 23, the NCSC, CISA, NSA and FBI have published a joint advisory, alerting that Sandworm is using a new malware, referred to as Cyclops Blink. It is believed to be active since 2019, replacing their previous malware, VPNFilter, disrupted in 2018. According to NordVPN and Talos, this malware has been identified in cyberattacks against Ukrainian networks and devices, including MikroTik routers. While it is unclear if Sandworm Team is currently active in the conflict, there is a high risk that it will be in the near future.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-cyclops-blink-sandworm\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\">Cyclops Blink (Sandworm)<\/mark><\/h5>\n\n\n\n<p>Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture, associated with a large-scale botnet targeting WatchGuard Firewall appliances (Small Office\/Home Office (SOHO) network devices).<\/p>\n\n\n\n<p>The latter, being active since at least June 2019, is actually a variant version of the VPNFilter virus that had plagued 2018 Cyclops Blink and is primarily used by the APT Sandworm (aka Fancy Bear) group, known for its recent cyberattacks in Ukraine.<\/p>\n\n\n\n<p>Cyclops Blink is generally deployed as part of a firmware &#039;update&#039;. This achieves persistence when the device is rebooted and makes remediation harder. Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.<\/p>\n\n\n\n<p><strong>At the end of the document is provided <\/strong><strong>relevant references for <\/strong><strong>detection tools,<\/strong><strong> IOCs, TTPs and recommendations thanks to a joint work of <\/strong><strong>FBI, CISA, DOJ and UK<\/strong><strong> <\/strong><strong>NCSC<\/strong><strong> teams.<\/strong><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-unc1151\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\">UNC1151<\/mark><\/h5>\n\n\n\n<p class=\"has-black-color has-text-color\">UNC1151, also known as GhostWriter, has been identified as a group orchestrating long-running campaign across various eastern European countries focused on compromising governments&#039; communications systems and gathering data that can be used in ongoing information warfare campaigns. The cybersecurity firm Mandiant first identified GhostWriter in 2020, and linked its activities to the Belarusian government in November 2021. In August 2020, FireEye uncovered a campaign active since March 2017, which aimed to discredit NATO, by spreading fake news content on compromised websites or via spoofed email accounts. This threat actor is also believed to be behind a defacement campaign, in January 2022, affecting tens of Ukrainian government websites.<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">On February 25, 2022, the CERT-UA alerted on an ongoing campaign attributed to this threat actor, targeting Ukrainian military personnel and civilians, as well as various Belarusian and Polish organizations, via <a href=\"https:\/\/www.intrinsec.com\/en\/bonnes-pratiques-phishing\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing<\/a> emails. Proofpoint detected, on February 24, 2022 another phishing campaign that uses compromised private Ukrainian military emails to target European governments personnel in an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries. While attribution for this last attack to UNC1151 is unclear, it is likely, as Ukrainian military personnel appear to have been compromised by UNC1151. This could then represent a second stage to this campaign. On February 28, 2022, Facebook announced that they have seen increased targeting of Ukrainian social media users by GhostWriter, and blocked some domains associated with phishing attacks leveraged by the threat actor.<\/p>\n\n\n\n<p>Spearphishing campaign<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">The phishing campaign currently ongoing targets various Ukrainian government and military accounts in order to compromise them via a malicious URL. Some phishing emails can for example ask to provide information to avoid the permanent suspension of the email account. After a successful compromise, the attackers get access to all the victims&#039; message with the IMAP protocol. UNC1151 then uses the contact details from the address book to send other phishing emails and further enhance their campaign. The address mail responsible for sending the malicious emails uses the \u2019.space\u201c top-level domain (TLD), which shares a common registrant \u201dApolena Zorka\u201c, primarily hosted behind Cloudflare infrastructure. According to SecureWorks, the \u201dApolena Zorka\u201c cluster is a mix of generic email validation and domains spoofing popular Ukrainian information services, which suggests a specific creation for Ukrainian targets. Another cluster leveraging the \u201d.space\u201c TLD is named \u201dRadka Dominika\u201c and has similar generic email and spoofed domain, but with polish names, including the legitimate domain of the Polish Ministry of National Defense. These domains were continuously created between December 15, 2021 and February 26, 2022.<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">The phishing campaign targeting European government entity leverages themes pertaining to the Emergency Meeting of the NATO Security Council held on February 23, 2022. The day after this meeting and the publication of a news story about a Russian government \u201ckill list\u201d targeting Ukrainians, these phishing emails were sent with a macro enabled XLS file attached named \u201clist of persons.xlsx\u201d and a topic related to the NATO meeting. The sender address is linked to a Ukrainian military unit, which could suggest that it represents the second stage of the campaign compromising military personnel.<\/p>\n\n\n\n<p>When the macro of the XLS attachment is enabled, it executes a VB macro named \u201cModule1\u201d which creates a Windows Installer (msiexec.exe) object invoking Windows Installer to call out to an actor-controlled staging IP and download a malicious MSI package. It also sets a Microsoft document UILevel equal to \u201c2\u201d which specifies a user interface level of \u201ccompletely silent installation.\u201d This hides all macro actions and network connections from the user. The actor accesses the delivery IP via the Microsoft Installer InstallProduct method which is intended to obtain an MSI install file from a URL, save it to a cached location, and finally begin installation of the MSI package. This MSI package can install a series of Lua-based dependencies, execute a malicious Lua script named SunSeed, and establish persistence via an LNK file installed for autorun at Windows Startup. Notably, the legitimate Windows Lua interpreter sppsvc.exe can be modified so it does not print any output to the Windows Console. The LNK file executes the malicious SunSeed Lua script \u201cprint.lua\u201d that attempts to retrieve additional malicious Lua code from the actor command and control (C2) server. The SunSeed malware appears to be a simple downloader which obtains the C Drive partition serial number from the host, appends to a URL request via a Lua socket, consistently pings the C2 server for additional Lua code, and executes the code upon receiving it within a response.<\/p>\n\n\n\n<p><strong>Why is the risk for French entities assessed as high?<\/strong><\/p>\n\n\n\n<p>The risk for French entities is assessed as high, as these threat actors are active for several years and have launched various large scale campaigns with significant impact. With their involvement in this conflict, they could potentially target enemies of Russia and States and organizations that support Ukraine. By rebound, they could impact European organizations by targeting direct support of Ukraine, such as refugee logistics, military organizations, political movement and enterprises that have activities or partners located in Ukraine or Russia.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-ttps\">TTPs<\/h2>\n\n\n\n<p><br>In red are TTPs shared by more than 2 of the threat actors analyzed in this report. In green are the TTPs used by the threat actors, but not shared with others.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-black-color has-text-color\"><tbody><tr><td><strong>Tactic<\/strong><\/td><td><strong>Technical<\/strong><\/td><\/tr><tr><td>Acknowledgement<\/td><td>Active Scanning: Vulnerability Scanning<br>Gather Victim Network Information<\/td><\/tr><tr><td>Resource Development<\/td><td><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Acquire Infrastructure<\/mark><br>Domains<br>Botnet<br>Compromise Accounts: Email Accounts<br>Establish Accounts: Email Accounts <br>Obtain Capabilities<br>Tool<br>Code Signing Certificates<\/td><\/tr><tr><td>Initial Access<\/td><td>External Remote Services<br><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Phishing<\/mark><br><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Spearphishing Attachment<\/mark><br>Spear phishing link<br>Valid Accounts: Domain Accounts<\/td><\/tr><tr><td>Execution<\/td><td><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Command and Scripting Interpreter<\/mark><br>Windows Command Shell<br>Unix Shell<br><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Native API<\/mark><br>System Services: Service Execution<br>User Execution<br>Malicious Link<br>Malicious File<br>Windows Management Instrumentation<\/td><\/tr><tr><td>Persistence<\/td><td>Boot or Logon Auto start Execution: Registry Run Keys\/Start-up Folder<br>Boot or Logon Initialization Scripts: RC Scripts<br>External Remote Services<br>Pre-OS Boot: System Firmware<\/td><\/tr><tr><td>Defense and Evasion<\/td><td>Hide Artifacts: Hidden Window<br>Odd Defense: Disable or Modify System Firewall<br><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Masquerading: Match Legitimate Name or Location<\/mark><br>Obfuscated Files or Information<\/td><\/tr><tr><td>Discovery<\/td><td>Account Discovery: Email Account<br>Remote System Discovery<br><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">System Information Discovery<\/mark><\/td><\/tr><tr><td>Lateral Movement<\/td><td><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Remote Services<\/mark><br>SMB\/Windows Admin Shares<br>Distributed Component Object Model<br>VNC<\/td><\/tr><tr><td>Collection<\/td><td>Email Collection<br>Screen Capture<\/td><\/tr><tr><td>Command and Control<\/td><td><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Application Layer Protocol: Web Protocols<\/mark><br>Data Encoding: Non-Standard Encoding<br>Encrypted Channel: Asymmetric Cryptography<br>Fallback Channels<br>Ingress Tool Transfer<br>Multi-Stage Channels<br>Non-Standard Port<br>Proxy<br>Remote Access Software<\/td><\/tr><tr><td>Impact<\/td><td>Data Destruction<br>Data encrypted for impact<br>Defacement<br>Disk Wipe<br>Disk Content Wipe<br>Disk Structure Wipe<br>Endpoint Denial of Service: Service Exhaustion Flood<br>Network Denial of Service<\/td><\/tr><tr><td><\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-cves\">CVS<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-cve-known-to-be-exploited-by-russian-state-sponsored-apt-actors-for-initial-access-in-past-years\">CVE known to be exploited by Russian state sponsored APT actors for initial access in past years<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>CVE-2018-13379 FortiGate VPNs<\/li><li>CVE-2019-1653 Cisco router<\/li><li>CVE-2019-2725 Oracle WebLogic Server<\/li><li>CVE-2019-7609 Kibana<\/li><li>CVE-2019-9670 Zimbra software<\/li><li>CVE-2019-10149 Exim Simple Mail Transfer Protocol<\/li><li>CVE-2019-11510 Pulse Secure<\/li><li>CVE-2019-19781 Citrix<\/li><li>CVE-2020-0688 Microsoft Exchange<\/li><li>VMware CVE-2020-4006 (0-day)<\/li><li>CVE-2020-5902 F5 Big-IP<\/li><li>CVE-2020-14882 Oracle WebLogic<\/li><li>CVE-2021-26855 Microsoft Exchange (often chained with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-cves-known-to-be-exploited-by-conti-ransomware\">CVEs known to be exploited by Conti ransomware<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>CVE-2021-1675 (Windows Print Spooler <strong>RCE<\/strong>)<\/li><li>CVE-2022-21882 (Win32k <strong>private<\/strong>)<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-malware\">Malware<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-gamaredon\">Gamaredon<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>DinoTrain<\/li><li>DesertDown<\/li><li>DilongTrash<\/li><li>ObfuBerry<\/li><li>ObfuMerry<\/li><li>PowerPunch<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-sandworm-team-1\">Sandworm Team<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Cyclops Blink<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-unc1151-1\">UNC1151<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>SunSeed<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-it-army-of-ukraine\">IT Army of Ukraine<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Reaper (malware shared by IT Army of Ukraine to conduct DDoS attacks)<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-against-the-west\">Against the West<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Wiper (suspected)<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-unknown-threat-actors\">Unknown threat actors<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>WhisperGate<\/li><li>HermeticWiper<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-tools\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Tool shared on Raidforums2 to conduct DoS attacks: <a href=\"https:\/\/github.com\/jseidl\/GoldenEye\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/jseidl\/GoldenEye\/<\/a><\/li><li>Tool shared by ITArmy to perform penetration: <a href=\"https:\/\/github.com\/UkraineSecOps\/PenTestingTutorials\">https:\/\/github.com\/UkraineSecOps\/PenTestingTutorials<\/a><\/li><li>VNC<\/li><li>Tool shared by KelvinSecurityTeam to perform penetration: <\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/github.com\/JoelGMSec\/AutoRDPwn\">https:\/\/github.com\/JoelGMSec\/AutoRDPwn<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/JoelGMSec\/PSRansom\">https:\/\/github.com\/JoelGMSec\/PSRansom<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/cyprosecurity\/API-SecurityEmpire\">https:\/\/github.com\/cyprosecurity\/API-SecurityEmpire<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-how-to-pre-empt-threats\">How to preempt threats<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-webshells\">Webshells<\/h4>\n\n\n\n<p>\u2022 SHA256: fa74335c09c138eab6256c1fbb176aee9a8334aac65cff3bf9b602d9dc9dd554<br>\u2022 SHA1: 9f4b88c179ab1485f94bc13551d33aca4d80e18a<br>\u2022 MD5: 9e3b4a2ed171ea1c888d569c7d98b944<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-rats\">RATs<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-asyncrat\"><em>AsyncRAT<\/em><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/blog.morphisec.com\/asyncrat-new-delivery-technique-new-threat-campaign\">https:\/\/blog.morphisec.com\/asyncrat-new-delivery-technique-new-threat-campaign<\/a><\/li><li><a href=\"https:\/\/eln0ty.github.io\/malware%20analysis\/asyncRAT\/\">https:\/\/eln0ty.github.io\/malware%20analysis\/asyncRAT\/<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-stub-exe-asyncrat-client-likely-dropped-by-previous-webshell\"><em>Stub.exe (AsyncRAT client likely dropped by previous webshell)<\/em><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li>MD5: E38BD39CCF08393442179FF40A504584<\/li><li>SHA1: 3CA5E89AEDAD3E54200C4D4CD35C6315193679DD<\/li><li>SHA256: 430578774AC0571E51F0903801185C232AB799178013BDD94F14DA2482453B44<\/li><\/ul>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-wiper\">Wiper<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-hermeticwiper\"><em>HermeticWiper<\/em><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/ua_wipers\">https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/ua_wipers<\/a><\/li><li><a href=\"https:\/\/github.com\/netskopeoss\/NetskopeThreatLabsIOCs\/tree\/main\/HermeticWiper\/IOCs\">https:\/\/github.com\/netskopeoss\/NetskopeThreatLabsIOCs\/tree\/main\/HermeticWiper\/IOCs<\/a><\/li><li><a href=\"https:\/\/github.com\/netskopeoss\/NetskopeThreatLabsIOCs\/blob\/main\/HermeticWiper\/IOCs\/Win32_Ransomware_KillDisk.yar\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/netskopeoss\/NetskopeThreatLabsIOCs\/blob\/main\/HermeticWiper\/IOCs\/Win32_Ransomware_KillDisk.yar<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-apt-1\">APT<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-gamaredon-1\"><em>Gamaredon<\/em><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/shuckworm-gamaredon-espionage-ukraine\">https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/shuckworm-gamaredon-espionage-ukraine<\/a><\/li><li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/02\/04\/actinium-targets-ukrainian-organizations\/\">https:\/\/www.microsoft.com\/security\/blog\/2022\/02\/04\/actinium-targets-ukrainian-organizations\/<\/a><\/li><li><a href=\"https:\/\/unit42.paloaltonetworks.com\/gamaredon-primitive-bear-ukraine-update-2021\/\">https:\/\/unit42.paloaltonetworks.com\/gamaredon-primitive-bear-ukraine-update-2021\/<\/a><\/li><li><a href=\"https:\/\/github.com\/Orange-Cyberdefense\/russia-ukraine_IOCs\">https:\/\/github.com\/Orange-Cyberdefense\/russia-ukraine_IOCs<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-sandworm\"><em>Sandworm<\/em><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.ncsc.gov.uk\/files\/NCSC_MAR_W_00016%20Cyclops%20Blink%20indicators.csv\">https:\/\/www.ncsc.gov.uk\/files\/NCSC_MAR_W_00016%20Cyclops%20Blink%20indicators.csv<\/a><\/li><li><a href=\"https:\/\/gist.github.com\/silascutler\/00b9308b429808bbb5e72c07f963134d\">https:\/\/gist.github.com\/silascutler\/00b9308b429808bbb5e72c07f963134d<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-unc1151-2\"><em>UNC1151<\/em><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\">https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails<\/a><\/li><li><a href=\"https:\/\/www.secureworks.com\/blog\/domains-linked-to-phishing-attacks-targeting-ukraine\">https:\/\/www.secureworks.com\/blog\/domains-linked-to-phishing-attacks-targeting-ukraine<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-cyclops-blink-a-sophisticated-state-sponsored-botnet\"><em>Cyclops Blink, a sophisticated state-sponsored botnet<\/em><\/h5>\n\n\n\n<p>Watchguard has published <a href=\"https:\/\/detection.watchguard.com\/\">detection tools<\/a>, IOCs, TTPs, detection rules and recommendations thanks to a joint work FBI, CISA, DOJ and UK <a href=\"https:\/\/www.ncsc.gov.uk\/files\/Cyclops-Blink-Malware-Analysis-Report.pdf\">NCSC<\/a> teams.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" id=\"h-recommendations\">Recommendations<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/03\/20945659-1-1024x1024.jpg\" alt=\"\" class=\"wp-image-222835\" width=\"104\" height=\"129\"\/><\/figure>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-threat-intell-recommendations\">Threat Intelligence recommendations&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>We recommend driving <strong>threat hunting campaigns<\/strong> (ideally from September 2021) while prioritizing <strong>cranking up defenses against pinpointed TTPs and CVEs<\/strong>.<\/li><li><strong>Phishing and spear-phishing is another important entry point<\/strong> often encountered since the beginning of the conflict and thus must be <strong>tackled by rising awareness to employees with custom sessions depending on employee&#039;s roles into the company<\/strong>. We emphasize that attachments are sometimes mimicking the download of the ISO file, which we anticipate to become a more often leveraged technique since <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-365-blog\/helping-users-stay-safe-blocking-internet-macros-by-default-in\/ba-p\/3071805\">Microsoft introduced a default change for five office apps that will block VBA macros obtained from the internet<\/a>.<\/li><li>In accordance with <a href=\"https:\/\/www.cert.ssi.gouv.fr\/cti\/CERTFR-2022-CTI-001\/\">the position of ANSSI<\/a>, if your teams use a Russian antivirus (Kaspersky, Dr.Web, etc.), we recommend that, in the medium term, you consider a strategy of diversifying your cybersecurity solutions.&nbsp;<\/li><\/ul>\n\n\n\n<h4 class=\"has-vivid-purple-color has-text-color wp-block-heading\" id=\"h-detection-protection-recommendations\">Detection &amp; protection recommendations&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>If you have not already done so, deploy Web Application Firewall (WAF) tools, use a Content Distribution Networks (CDNs) or load balancers.<\/li><li>Strengthen perimeter filtering:<ul><li>Email attachment analysis with sandbox detonation;<\/li><\/ul><ul><li>URL analysis with dynamic filtering and sandboxing;<\/li><\/ul><ul><li>Set up filtering for equipment with and without VPN (SaaS proxy solution recommended).<\/li><\/ul><\/li><li>Regularly raise awareness among employees with network access<ul><li>With phishing awareness campaigns for example.<\/li><\/ul><\/li><li>In general, we recommend that you increase your vigilance with regard to your subsidiaries or supply-chain providers located in Ukraine or in regions bordering Russia, and that you identify all of the interconnections that you may have with them in order to limit the risks in the event of a compromise.<\/li><li>As with every major event of this type, stay alert for potential cybercriminal exploits associated with this kind of event: disinformation campaign, phishing, fraud (fake fundraising campaign to support the country etc) or malware distribution.<\/li><li>It is still too early to tell if ransomware operators known to avoid targeting the Commonwealth of Independent States will be mobilized alongside Russian forces, but regardless, we recommend that you maintain your current level of vigilance on the ransomware threat and maintain your detection efforts on the TTPs used by these threat actors.<\/li><\/ul>","protected":false},"excerpt":{"rendered":"<p>Context Numerous clashes have continued in the country over the past week, with Ukrainian armed [\u2026]<\/p>","protected":false},"author":29,"featured_media":222852,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,1],"tags":[],"class_list":["post-222806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-threat-intelligence","category-non-categorise"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Ukraine : Intrusion set involved in the Russian-Ukrainian conflict - INTRINSEC<\/title>\n<meta name=\"description\" content=\"While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine&#039;s infrastructure, as well as responses targeting Russian assets, are being observed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict\" \/>\n<meta property=\"og:description\" content=\"While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine&#039;s infrastructure, as well as responses targeting Russian assets, are being observed.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-08T09:00:31+00:00\" \/>\n<meta name=\"author\" content=\"Equipe CTI\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Equipe CTI\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/\"},\"author\":{\"name\":\"Equipe CTI\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8a19ea39207ca7bd0c356c66628c86bb\"},\"headline\":\"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict\",\"datePublished\":\"2022-03-08T09:00:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/\"},\"wordCount\":4850,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"articleSection\":[\"Cyber Threat Intelligence\",\"Non cat\u00e9goris\u00e9\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/\",\"name\":\"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2022-03-08T09:00:31+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8a19ea39207ca7bd0c356c66628c86bb\"},\"description\":\"While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine's infrastructure, as well as responses targeting Russian assets, are being observed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8a19ea39207ca7bd0c356c66628c86bb\",\"name\":\"Equipe CTI\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Equipe CTI\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/equipe-cti\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Ukraine: Intrusion set involved in the Russian-Ukrainian conflict - INTRINSEC","description":"While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine&#039;s infrastructure, as well as responses targeting Russian assets, are being observed.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/","og_locale":"en_US","og_type":"article","og_title":"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict","og_description":"While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine's infrastructure, as well as responses targeting Russian assets, are being observed.","og_url":"https:\/\/www.intrinsec.com\/en\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/","og_site_name":"INTRINSEC","article_published_time":"2022-03-08T09:00:31+00:00","author":"Equipe CTI","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Equipe CTI","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/"},"author":{"name":"Equipe CTI","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8a19ea39207ca7bd0c356c66628c86bb"},"headline":"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict","datePublished":"2022-03-08T09:00:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/"},"wordCount":4850,"image":{"@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#primaryimage"},"thumbnailUrl":"","articleSection":["Cyber Threat Intelligence","Non cat\u00e9goris\u00e9"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/","url":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/","name":"Ukraine: Intrusion set involved in the Russian-Ukrainian conflict - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#primaryimage"},"thumbnailUrl":"","datePublished":"2022-03-08T09:00:31+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8a19ea39207ca7bd0c356c66628c86bb"},"description":"While the military conflict continues, the cyber one is intensifying. A new series of offensive and destructive cyberattacks against Ukraine&#039;s infrastructure, as well as responses targeting Russian assets, are being observed.","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/ukraine-intrusion-set-involved-in-the-russian-ukrainian-conflict\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Ukraine : Intrusion set involved in the Russian-Ukrainian conflict"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8a19ea39207ca7bd0c356c66628c86bb","name":"CTI Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Equipe CTI"},"url":"https:\/\/www.intrinsec.com\/en\/author\/equipe-cti\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/222806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=222806"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/222806\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=222806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=222806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=222806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}