{ "id": "3c48d5bf-a34f-4fb1-874b-4a90bdfe2f0a", "created_at": "2026-04-06T00:10:53.289058Z", "updated_at": "2026-04-10T03:27:56.022106Z", "deleted_at": null, "sha1_hash": "8570e7d0663e50fbb04caf60d3c38130a36e55a0", "title": "Rewterz Threat Update - Pro-Ukraine Hacktivists Breach Russian ISP as Revenge for KyivStar Attack - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 490294, "plain_text": "Rewterz Threat Update - Pro-Ukraine Hacktivists Breach Russian\r\nISP as Revenge for KyivStar Attack - Rewterz\r\nPublished: 2024-01-11 · Archived: 2026-04-05 12:37:55 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nIn the heat of the ongoing Russia-Ukraine cyberwarfare, a hacktivist group supporting Ukraine named ‘Blackjack’\r\nhas recently claimed a cyberattack against Russian internet service provider M9com as a response to the attack\r\nagainst Kyivstar, which is Ukraine’s largest telecom company.\r\nKyivstar’s services were disrupted to a severe degree in December 2023, later to be revealed that it was caused\r\ndue to a cyberattack from Russian threat actors. An investigation by Ukraine’s security organizations showed that\r\nthe Russian attackers initially intruded on Kyivstar in May 2023 and had been preparing for the attack since then.\r\nThe attack resulted in the wiping of thousands of virtual computers and servers.\r\nA few days ago, the Blackjack threat actor group announced on Telegram that they had breached into M9com, one\r\nof the largest internet service providers (ISP) in Moscow. The hacktivists claimed that they stole sensitive data\r\nfrom the company along with disrupting M9com’s internet services. They also shared a Tor URL for three ZIP\r\narchives containing images to prove their access to M9com’s systems, 50GB of call data, and account credentials\r\nof several customers and employees.\r\nVarious screenshots also show FTP command execution used to delete server files, remove configuration files,\r\nwipe backup data, a screenshot of the vSphere client, the RIPE billing portal and database, and the dashboard for\r\nthe Resource Public Key Infrastructure (RPKI). Some leaked files have full names, usernames, email addresses,\r\nand passwords in cleartext form, along with other sensitive data. Blackjack also defaced the official website of\r\nM9com.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/\r\nPage 1 of 3\n\nM9com has not given any public statement on the authenticity and validity of the leaked data. On the other hand,\r\nBlackjack has posted a public message promising that this is just one of the many attacks they are planning to\r\nlaunch as revenge for the Kyivstar breach.\r\nMany pro-Russian hacktivists are aiming to take down services in distributed denial-of-service attacks, but the\r\nactivity Blackjack group has carried out shows a much greater impact because recovery from wiped servers proves\r\nto be very difficult when the backups are also destroyed. According to a source from Ukraine’s law enforcement\r\nagencies, the Blackjack group may be related to the Security Service of Ukraine (SBU). They managed to delete\r\n20 TB of data during the cyberattack.\r\nImpact\r\nData Loss\r\nSensitive Information Theft\r\nWeb Defacement\r\nRemediation\r\nImplement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login\r\nprocesses.\r\nConsider the use of phishing-resistant authenticators to further enhance security. These types of\r\nauthenticators are designed to resist phishing attempts and provide additional protection against social\r\nengineering attacks.\r\nRegularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is\r\nunderway.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/\r\nPage 2 of 3\n\nOrganizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and\r\ndata from potential threats. This includes regularly updating software and implementing strong access\r\ncontrols and monitoring tools.\r\nDevelop a comprehensive incident response plan to respond effectively in case of a security breach or data\r\nleakage.\r\nMaintain regular backups of critical data and systems to ensure data recovery in case of a security incident.\r\nAdhere to security best practices, including the principle of least privilege, and ensure that users and\r\napplications have only the necessary permissions.\r\nEstablish a robust patch management process to ensure that security patches are evaluated, tested, and\r\napplied promptly.\r\nConduct security audits and assessments to evaluate the overall security posture of your systems and\r\nnetworks.\r\nImplement network segmentation to contain and isolate potential threats to limit their impact on critical\r\nsystems.\r\nNever trust or open links and attachments received from unknown sources/senders.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attac\r\nk/\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/" ], "report_names": [ "rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack" ], "threat_actors": [ { "id": "1a9c4f3f-2178-4c83-a9b5-d2135d90520a", "created_at": "2024-04-19T02:00:03.623733Z", "updated_at": "2026-04-10T02:00:03.615238Z", "deleted_at": null, "main_name": "BlackJack", "aliases": [], "source_name": "MISPGALAXY:BlackJack", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434253, "ts_updated_at": 1775791676, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8570e7d0663e50fbb04caf60d3c38130a36e55a0.pdf", "text": "https://archive.orkl.eu/8570e7d0663e50fbb04caf60d3c38130a36e55a0.txt", "img": "https://archive.orkl.eu/8570e7d0663e50fbb04caf60d3c38130a36e55a0.jpg" } }