{ "id": "d8ab7482-b13b-46a4-9e6b-320dea52458c", "created_at": "2026-04-06T00:14:27.545884Z", "updated_at": "2026-04-10T13:12:01.547716Z", "deleted_at": null, "sha1_hash": "a114239f10808165a91b6bfbb239f5ffa67ac621", "title": "One Year After: The Cyber Implications of the Russo-Ukrainian War", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 260213, "plain_text": "One Year After: The Cyber Implications of the Russo-Ukrainian\r\nWar\r\nBy Livia Tibirna,\u0026nbsp;Maxime A.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-02-21 · Archived: 2026-04-05 16:57:11 UTC\r\nAs the ongoing Russo-Ukrainian conflict started on 24 February 2022 is about to mark its first year anniversary,\r\nSekoia.io analysts share their analysis pertaining to the cyber picture. This report does not list all related cyber\r\nevents related to the Russo-Ukrainian context, but rather aims at sharing Sekoia.io TDR takes on observed and\r\nassessed strategic, operational or tactical changes since the beginning of the conflict. This publication is mostly\r\nbased on open source publications therefore incurs a lack of visibility due to the secrecy of military affairs,\r\nincluding the discreet implication from allies and foreign private companies.\r\nThis paper explores the Russian offensive cyber operations aimed at supporting the military invasion, whether it is\r\nto disrupt coordination, communication or narrative from Ukraine and supporting countries or entities. A second\r\npart analyses the rising role of cybercrime groups and hacktivist nationalist organisations in the cyber\r\nconfrontation with a focus on the techniques used by non-state actors and the way the ongoing war shaped their\r\nactivities.\r\nKey Takeaways\r\nThe Russian invasion did not combine with a major destructive cyberattack causing significant\r\ndisruption of military defence or governmental facilities. However, Russian military intelligence GRU\r\ndid employ multiple wipers targeting Ukraine and Western entities supporting Kiev.\r\n \r\nCyber operation objectives differ whether it is conducted by SVR- and FSB-operated intrusion sets\r\nor by GRU. First ones aim at strategic intelligence and reconnaissance in support of the military operation,\r\nwhen military intelligence cyber operations seem to focus on immediate disruption.\r\nA significant number of information operations were conducted by Russian and Belarusian\r\nintelligence services, to relay anti-NATO and pro-Moscow narrative regarding the military invasion.\r\nNon-state hacktivist groups increasingly demonstrated support in cyberspace to national efforts, on\r\nboth sides, with mainly DDoS and hack-and-leaks operations. Multiple pro-Russia collectives are\r\nsuspected to cooperate with Russian intelligence services.\r\nA limited number of financially motivated threat actors engaged in politically motivated attack\r\ncampaigns. They mainly conducted data breach and data exfiltration campaigns and contributed to the\r\ngrowth of the Cybercrime-as-a-Service market over 2022.\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 1 of 10\n\nRussian-sponsored operations\r\nWhile the expectation was a coordination between the military operation and a large-scale cyber operation\r\ndisrupting Ukrainian defence, governmental or civil facilities, the Russo-Ukrainian conflict did not show, as far as\r\nwe can observe in open source, corresponding events. However Sekoia.io observed a trend in open source\r\ndocumented use of wipers malware allegedly by Russian-nexus intrusion sets, especially – but not exclusively –\r\nones known to be operated by Russian military intelligence Main Directorate of the General Staff (GRU).\r\nThe first destructive operations were observed before the beginning of the Russo-Ukrainian conflict, with a peak\r\nreported the days before 24 February 2022, aiming at strategic targets, such as the KA-SAT satellite\r\ncommunication modems, operated by VIA-SAT company, and allegedly used by the Ukrainian army. Sekoia.io\r\ntechnical investigation showed the operation used AcidRain wiper, an analysis shared by SentinelOne which\r\nassociated the campaign to Sandworm, a Russia-nexus intrusion set attributed to the Russian GRU by the US\r\nDepartment of Justice in October 2020.\r\nAt least a dozen destructive malware originating from Russia-nexus intrusion sets, were observed in 2022,\r\nduring the months following the beginning of the conflict. Based on open source publication, GRU-operated\r\nAPT28 leveraged CaddyWiper and AwfulShred, both wipers also reported being used by GRU’s Sandworm,\r\nalongside to HermeticWiper, AcidRain, Industroyer2, ZeroWipe and SwiftSlicer.\r\nOther destructive codes were leveraged by intrusion sets not yet associated with a specific Russian intelligence\r\nservice, but reputedly aligned with Russian strategic objectives, namely Ember Bear (aka DEV-0586) and UAC-088 which respectively used WhisperKill and DoubleZero. Based on Russian intelligence reputation, Sekoia.io\r\nassess, along with other cybersecurity vendors such as Microsoft, that it is plausible that Ember Bear and UAC-088 are either subgroups or previously unassociated intrusion sets operated by GRU. \r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 2 of 10\n\nIt should be noted that no use of destructive malware by identified intrusion sets operated by Federal Security\r\nService (FSB) (Turla, Gamaredon, Calisto, DragonFly) nor by the foreign Intelligence Service (SVR)\r\n(APT29/Nobelium), were reported in open source. Sekoia.io notes that such observation is coherent with the past\r\nobserved activities associated with these administrations, as well as the alleged mandates of the three main\r\nRussian intelligence services. Indeed, the FSB is known for its focus on targeted and strategic cyber espionage,\r\ninternally and internationally, rather than destructive operations. The SVR is reputed to operate with a high degree\r\nof discretion, seeking to gain and gain pertinence and trying to avoid detection when GRU cyber operations aim at\r\ndeception, manipulation and sabotage objectives.\r\nBased on our technical investigations and open source publications, Sekoia.io analysts observe that most of the\r\nRussian destructive malware impacting Ukraine and supporting countries differs from past Russia-nexus\r\nsabotage operations.\r\nReported wipers are either relatively simple and poorly developed wipers, without automatic replication or\r\nlateral movement capability. As a reminder, after the first Russian military operation invading Crimea in 2014,\r\nRussian destructive operations impacted strategic entities of Ukraine, such as the NotPetya (2017) and\r\nBadRabbit (2017) destructive worms, originally sent to impact Ukrainian entities but counting an overly\r\nefficient automatic replication module leading to a worldwide compromission impacting as well multiple Russian\r\ncompanies. Sekoia.io TDR analysts observe that destructive Sandworm operations during the Russo-Ukrainian\r\nconflict did not leverage worms, likely to prevent past side effects.\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 3 of 10\n\nSekoia.io observe that destructive Sandworm operations during the Russo-Ukrainian conflict did not\r\nleverage worms, likely to prevent past side effects.\r\nTweet this!\r\nAnother possible explanation of this operational change is the alleged impreparation from Russian intelligence,\r\nwhich possibly did not properly assess the need of cyber offensive preparation to support the military operation.\r\nAs a parallel to the failure of its military operation to conquer Kiev and the full Ukrainian territory, cyber\r\noperations may have been poorly prepared (insufficient malware development or prepositioning). \r\nStill in comparison to military operations, Sekoia.io TDR analysts assess it is plausible that Russian intelligence\r\nhad to work faster to catch up, looking for more immediate effects by building straightforward and ready-to-use wipers rather than complex and long-term planned destructive worms. \r\nAdditionally, a significant number of destructive operations were conducted as pseudo-ransomware used as\r\nwipers. The example of Prestige ransomware, identified by Microsoft and leveraged by Sandworm to impact\r\nUkraine and Poland, illustrates a possible scheme of plausible deniability behind the false-flag of cybercrime-related operations. However, as Prestige ransomware and other documented pseudo-ransomware were signature\r\ncodes, and not picked up from cybercrime malware, the false-flag operation seems easily uncovered. It remains\r\nunclear for Sekoia.io analysts why Russian destructive campaigns would try to operate undercover in the context\r\nof an open cyber and military confrontation with Ukraine.\r\nSekoia.io assess it is possible that, given the limits of straightforward wipers and pseudo-ransomware codes,\r\nthese operations had the objective to cause confusion, disrupting Kiev’s ability to coordinate its defence, rather\r\nthan looking for a game changing impact.\r\nSEKOIA.IO investigation on KA-SAT incident\r\nFollowing the KA-SAT incident, SEKOIA.IO analysts investigated the SurfBeam2 modems to understand the\r\nimpact and the context of the attack. Our analysis showed that the firmware was entirely wiped by the same\r\nalgorithm as the one present inside the AcidRain wiper (cf. FLINT 2022-015). Moreover, by diffing two firmware\r\nversions (pre- and post-attack) our analysis showed that the vector of this compromise was likely SSH as every\r\nSurfBeam2 modems has SSH enabled on SDWAN network, and the new firmware versions has almost no\r\nchanges, except for the SSH public key of the root user.\r\nAs KA-SAT was allegedly used by the Ukrainian government as a backup link, it is worth noting that this attack\r\nhad almost no impact on its communications because it was launched too early. However the compromission had\r\nconsequences on the KA-SAT commercial offer, impacting European companies and individuals through\r\ncompromised modems. A private presentation of this investigation is now available for download here.\r\nWhile a significant number of destruction-motivated cyber campaigns were reported over the Russia-Ukraine\r\nconflict, most of them associated by cybersecurity researchers to GRU, multiple Russia-nexus cyber operations\r\nalso aimed at gathering strategic intelligence related to the conflict. \r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 4 of 10\n\nSuch operations were notably conducted by FSB-operated (Gamaredon, Calisto and Turla) or SVR intrusion sets\r\n(APT29/Nobelium), targeting multiple sectors as diplomacy, logistics, NGOs, NATO-related entities, or strategic\r\nresearch. \r\nSekoia.io published about a Calisto operation (aka Cold River), an intrusion set we associate with moderate\r\nconfiance to the FSB, observed carrying out phishing campaigns aiming at credential theft in November 2022.\r\nImpacted organisations were notably involved in military logistics and war crime investigation. Sekoia.io analysts\r\nassess Calisto collection activities probably contribute to Russian efforts to disrupt Kiev supply-chain for military\r\nreinforcements. Moreover, Russian intelligence collection about identified war crime-related evidence is likely\r\nconducted to anticipate and build counter narrative on future accusations.\r\nThroughout the war, SVR-operated APT29 (aka Nobelium) continued its strategic espionage activities focused\r\non the diplomatic entities from Western countries, carrying out long-term and covert operations in Embassies\r\nnetwork. Despite the lack of open source information about the aim of those operations, we assess it is likely\r\nAPT29 supplies Russian executives with intelligence related to Western diplomatic and logistics support to\r\nUkraine. Sekoia.io actively follow APT29 threat and published reports about the group TTPs, such as the\r\nEnvyScout infection chain and Slack Downloader (FLINT 2022-038), its Trello command and control\r\ninfrastructure to target European embassies in April 2022 (FLINT 2022-009) or its HTML Smuggling technique\r\n(FLINT 2021-098).\r\nThese operations illustrate the continuation of strategic cyber espionage operations conducted by FSB and\r\nSVR. Sekoia.io assess the mandate of Russian intelligence services conducting cyber operations did not change\r\ndespite the Russia-Ukraine conflict and is likely to be pursued over the future.\r\nSekoia.io assess Calisto collection activities probably contribute to Russian efforts to disrupt Kiev\r\nsupply-chain for military reinforcements.\r\nTweet this!\r\nCyber operations during the Russo-Ukrainian conflict were also conducted for information warfare (or info\r\nops), in order to gather or relay narratives. A significant number of information operations were reported in open\r\nsource publications, Sekoia.io chose to focus on a few examples.\r\nStarting in January 2022, multiple operations from GhostWriter (aka UNC1151) were observed by cybersecurity\r\nvendors and the Ukrainian government. GhostWriter, whose narratives are consistent with Belarusian\r\ngovernment interests – a country aligned on Russian narrative toward Ukraine, conducted info ops mostly aimed\r\nat Eastern European countries (Ukraine, Poland, Lithuania and Latvia) with anti NATO narratives. For instance,\r\nin July 2022, Poland Prime minister Mateusz Morawiecki accused Russian and Belarusian secret services of\r\n“hacking into government systems” and leaking emails aimed to show political discord in Poland regarding\r\nWarsaw’s support for Ukraine. \r\nAnother example of information operation was described by Mandiant in September 2022. The cybersecurity\r\nvendor showed that self-proclaimed hacktivist groups working in support of Russian interests, namely Xaknet,\r\nInfoccentr and CyberArmy of Russia Reborn, were cooperating with- or were strait fronts used by GRU-operated intrusion sets. Sekoia.io concurs with Mandiant assessment based on our knowledge of APT28 use for\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 5 of 10\n\nfronts, such as Cyber Berkut (2014), Yemeni Cyber Army (2015), CyberCaliphate (2015) or Guccifer 2.0 and\r\nDCLeaks (2016) all leveraged to conduct false flag hack and leak operations posing as hacktivist.\r\nNon-state threat groups\r\nAnother evolution that Sekoia.io observed is the importance of the role played by allegedly non-state collectives,\r\neither belonging to the cybercrime ecosystem, or structured as cyber hacktivist groups taking part in the\r\nconflict.\r\nAmong the non-state cyber threat groups involved in the confrontation, hacktivist groups were one of the most\r\nactive actors of the cyber landscape since February 2022. Organised hacktivist collectives declaring support to\r\nRussia or to Ukraine were existing structures progressively joining the war effort in the cyberspace (Belarusian\r\nCyber Partisans, Killnet) or newly created groups in the wake of 24 February (NoName057, XakNet, People’s\r\nCyber army of Russia, 2402team, IT Army of Ukraine, Squad303). \r\nKillnet is a prominent Pro-Russian hacktivist collective and one of the most active in recent months. The group’s\r\nactivity on Telegram goes back to January 2022 and started with offering DDoS-for-hire services. Killnet joined\r\nthe Russo-Ukrainian war in cyberspace later in February and positioned itself as a counter-offensive to an\r\nAnonymous-nebula initiative, which declared its support for Ukraine. Killnet is currently a highly structured\r\nhacktivist group, operating with a galaxy of “special forces squads” notably via social media accounts and\r\nwebsites. While it mainly engages DDoS attacks with minor damage, the critical nature of its documented\r\ntargets (e.g. healthcare organisations, national governments and international organisations) and its\r\ncontinuous alignment with Russian strategic interests in the context of the conflict turn this group into a top tier\r\nhacktivist threat for Ukraine and NATO countries.\r\nKillnet is a highly structured collective which represents a top tier hacktivist threat for Ukraine and\r\nNATO countries.\r\nTweet this!\r\nAnother emblematic example is the IT Army of Ukraine, created to conduct cyber operations notably against\r\nRussia and Belarus on 26 February 2022. This volunteer organisation announced by Ukraine’s Minister for Digital\r\nTransformation is allegedly coordinated by Ukrainian state representatives. Based on open sources, the IT Army is\r\ncomposed of both amateurs (civilians) and dedicated professionals (civilian, military, intelligence representatives)\r\nfrom all over the world. The IT Army of Ukraine provides its members the attack infrastructure as well as\r\ntargeting indications likely to support and reinforce Ukraine’s offensive efforts in cyberspace.\r\nHacktivist groups also emerged in other countries, including Poland, from where Squad303 would be\r\ncoordinated. Based on Sekoia.io observations, Squad303 hacktivists allegedly developed a tool allowing anyone\r\nto send text messages to verified Russian mobile numbers and email addresses to spread anti-war messages and\r\nshare them on a dedicated website.\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 6 of 10\n\nSekoia.io also observed a number of existing hacktivist groups from around the world that progressively joined\r\nthe Russian or Ukrainian side starting from February 2022. Belarusian Cyber Partisans (allegedly a group of\r\nBelarusian politically motivated hackers) and AgainstTheWest (allegedly operating out of western Europe) both\r\nshow support to Ukraine. \r\nSocial media platforms and messaging apps such as Twitter and Telegram played a significant role in the\r\nhacktivists’ implications in the ongoing confrontation in cyberspace. Telegram in particular became a hub for\r\nhacktivists groups’ organisation. From Sekoia.io observations, they use Telegram for sharing hacking guidelines,\r\npointing targets, publicly claiming past or ongoing attacks and recruiting adherents to their cause.\r\nBased on a CheckPoint report, the number of Telegram groups increased sixfold between February 24 and early\r\nMarch 2022. However, most of them (71%) were dedicated to news around the ongoing war, according to the\r\nsame source. This is likely due to the great visibility social networks can provide, the ease of use, the extended\r\nfunctionalities and the fact that moderation measures of messaging apps are hard to implement.\r\nDDoS attacks became one of the most widely used techniques by hacktivist groups. Sekoia.io analysts observed\r\nboth pro-Russian and pro-Ukrainian groups mainly targeting entities of interest with Distributed Denial-of-Service (DDoS) and website defacement attacks over the last year, likely due to 1) the relative ease of carrying out\r\nsuch attacks and 2) their immediate impact and the potential victim’s reputational damage it can involve.\r\nIn some cases, hacktivists claimed cyber attacks that were not confirmed afterwards, highly likely to generate\r\npublicity around their actions, to improve their public image and to demoralise the opposing side.\r\nWhile we believe hacktivist groups are not the most impactful in terms of cyber operations so far, they still\r\nconducted successful attacks with significant operational consequences, mainly by deploying ransomware. For\r\nexample, one month before the beginning of the Russo-Ukrainian conflict , Belarusian Cyber-Partisans encrypted\r\nthe servers of Belarus’s national state-owned railway company and claimed it as an act of protest against the\r\ndeployment of the Russian military troops near Ukraine using the Belarusian Railways’ system. The hacktivist\r\ncollective Network Battalion ’65 also claimed ransomware attacks against Russian targets without demanding a\r\nransom (or declaring donating it to Ukraine). Therefore, Sekoia.io assess these ransomware attacks should be\r\nconsidered as disruptive and not lucrative.\r\nAn additional technique widely used by hacktivists since February 2022 is hack and leak operations. The\r\nRaHDIt group (for “Russian Angry Hackers Did It”) notably obtained and leaked personal information about\r\nmilitary intelligence representatives in Ukraine and NATO countries. From their words, the RaHDIt threat\r\nactors cooperate with the Russian army by providing actionable intelligence about the Ukrainian army.\r\nWe assess hack-and-leak campaigns conducted by hacktivist groups directly contributed to the proliferation of\r\nstolen data released in the Deep and Dark Web last year. Sekoia.io assess that hack-and-leak operations can\r\npossibly be storefront events of future cyber operations. \r\nAt this stage, it is almost certain that the hack-and-leak campaigns involving sensitive data since February 2022\r\nsignificantly broadened the attack surface of affected entities. Apart from compromising the victims’ security\r\nand reputation, this data can now be used by threat actors as a pivot for further malicious campaigns.\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 7 of 10\n\nThe most visible impact of hacktivism during the first year following the Russian invasion of Ukraine was the\r\nreduced availability of targeted public-facing websites and disrupted services due to DDoS attacks and\r\nransomware operations, along with the associated reputational damage.\r\nThe proliferation of hacktivist groups joining different sides in the conflict served the purpose of\r\ninfluencing the war narrative.\r\nTweet this!\r\nFinally, the proliferation of hacktivist groups joining different sides in the conflict served the purpose of showing\r\nsupport (or opposition) to ongoing military and political actions and influencing the war narrative. Evidence of\r\nhacktivist groups influence on war narrative can be illustrated with the CyberAzov campaign associated with\r\nFSB-operated Turla, a reconnaissance operation collecting data related to anti-Russia hacktivists. Sekoia.io\r\nassess that the fact this advanced intrusion set was activated to counter pro-Ukraine hacktivism initiative shows\r\nthe importance Russian intelligence gives to such cyber threats (cf. FLINT 2022-043).\r\nCybercrime communities implications\r\nSekoia.io noted that cybercrime groups, assessed to be opportunistic by nature, did not significantly change\r\ntheir modus operandi after the beginning of the Russo-Ukrainian conflict.\r\nThe first major cybercrime group reported to share their reaction about the conflict was the now-disbanded Conti\r\nsyndicate. The day after the launch of the invasion of Ukraine, Sekoia.io analysts noticed a declaration on Conti’s\r\nDark Web site expressing Conti’s support for the Russian authorities in their operations in Ukraine: “The Conti\r\nteam officially announces its full support for the Russian government”.\r\nEven though the initial statement was changed the same day (“We are not associated with any government and we\r\ndenounce the ongoing war”), it allegedly prompted a group member to leak internal compromising data in a series\r\nof posts on social media. While it is uncertain whether this was the reason, the group decided to disband later\r\nand its members are believed to be now involved in other cybercrime organisations. This is an example of how the\r\nwar impacted on the structure and functioning of a cybercrime group.\r\nWe also observed the BlackCat ransomware group claiming an increasing number of ransomware attacks\r\ntargeting western energy infrastructures during last year. Although this happened at a time when Russian\r\nattacks on the Ukrainian energetic infrastructure were on the rise, in absence of any evidence of a link between\r\nthose ransomware attacks and the  war, the connection is to be considered as circumstantial.\r\nAdditionally, other threat actors are assessed to be part of the conflict in an indirect way, notably supplying the\r\nunderground community with commodity toolkits. Of note, threat actors traditionally offer DDoS tools and\r\nservices and other cybercrime frameworks on the Deep and Dark Web for sale. Yet this practice changed from Q1\r\n2022 onwards. Not only the frequency of messages related to DDoS increased significantly, but also the ratio of\r\nthreat actors offering attack tools for free to the community soared on Telegram. Sekoia.io asses that the almost\r\nunrestricted access to these tools (e.g. the “DDoS_RU_Bot” provided by the IT Army of Ukraine) and the target-https://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 8 of 10\n\noriented communication from leading hacktivist and cybercrime groups will keep driving up the number of DDoS\r\nattacks in 2023. \r\nSekoia.io assess implications of cybercrime and Dark Web-related threat actors in the conflict were\r\nmostly isolated cases.\r\nTweet this!\r\nOne recent example of such a commodity toolkit is the Passion DDoS-as-a-Service (DDoSaaS) platform,\r\nreportedly attributed to a group affiliated with Killnet and already leveraged in attacks against medical institutions\r\nacross Europe and the United States in early 2023.\r\nOther groups decided to remain neutral. For instance, the LockBit ransomware group underlined the apolitical\r\nnature of its activities. Based on a notice published on the group’s Dark Web dedicated site, it would be motivated\r\nby the fact that LockBit members originate from both CIS countries (including Russia and Ukraine) and\r\ncountries from all over the world. It is likely that LockBit adopted this position to avoid any political-based\r\ninternal conflict and to prevent Law Enforcement Agencies’ scrutiny.\r\nOverall, we assess that the cybercrime community operating on the Dark Web did not experience major\r\ncleavages following the war in Ukraine that would clearly divide it into multiple sub-communities, or at least into\r\nsome distinct pro-Ukrainian and pro-Russian underground bodies. While it remained unitary and the top-tier\r\nRussian-speaking cybercrime forums and marketplaces harbour threat actors regardless of their position in the\r\nconflict, we observed several isolated exceptions.\r\nFor example, in mid-2022 the pro-Ukrainian hacking group Cyber.Anarchy.Squad (CAS) created Dump\r\nForums – a new cybercrime forum specialised on exposing and selling Russian-related data. Later in 2022,\r\nCyber.Anarchy.Squad also claimed responsibility for attacks on Russian administration and critical infrastructure\r\nand auctioned the exfiltrated data to fund the Ukrainian army. Another such example is the Infinity forum\r\nlaunched by the Killmilk group (part of the Killnet galaxy) in 2023 to reunite the pro-Russian threat actors.\r\nWe also monitor dedicated platforms hosting repositories of hacked data, mainly from Russian government\r\nagencies and private companies (such as DDoSecrets platform), or else from Ukrainian targets (such as\r\nFreeCivilian).\r\nFinal words\r\nAfter a year of confrontation Sekoia.io observes the Russia-Ukraine conflict had different impacts on the cyber\r\nthreat ecosystem. \r\nDespite tactical evolutions on GRU destructive cyber operations, the mandate of Russian intelligence services\r\nconducting cyber operations did not significantly change: the FSB and SVR conducting strategic intelligence-oriented campaigns in order to disrupt Kiev’s ability to gain support and coordinate its defence. Sekoia.io\r\nassess GRU-operated will likely continue to target Ukraine and supply chain in allied Western countries, with\r\ndestructive malware when FSB and SVR will pursue intelligence gathering operations for strategic purposes.\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 9 of 10\n\nAn evolution is still discernible in the ecosystem of non-state cyber threats. Among non-state actors joining the\r\nconflict in cyberspace, hacktivist groups were the most involved. Part of hacktivist collectives aligned with\r\nRussian or Ukrainian strategic interests are presumed to cooperate with national intelligence services.\r\nFrom Sekoia.io observations, implications of cybercrime and Dark Web-related threat actors in the conflict\r\nwere mostly isolated cases. We assess that financially motivated actors taking positions regarding the war\r\npartially did it by conviction, but rather by opportunism to benefit from the ongoing targeting trends, and as a\r\nprecaution with regard to the authorities of their respective countries.\r\nSekoia.io reminds that the blurred nature of war and military secrecy makes it difficult to get an exhaustive\r\nview of cyber events based on open source. The real impact of destructive operations or the strategic benefits from\r\ncyber espionage can not be properly assessed due to the implication of allies, such as the USCyberCom Hunt\r\nForward Operations or the role played by private firms like Microsoft and Amazon in securing Ukraine\r\ngovernment data in the cloud.\r\nThank you for reading this blogpost. You can also consult other blogposts on the same topic:\r\nFeatured image done with Midjourney\r\nAPT calisto russia turla ukraine\r\nShare this post:\r\nSource: https://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nhttps://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/" ], "report_names": [ "one-year-after-the-cyber-implications-of-the-russo-ukrainian-war" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "afb851c4-b2e8-40e3-ac37-c55d8c0ab3cd", "created_at": "2022-10-25T16:07:23.516432Z", "updated_at": "2026-04-10T02:00:04.637109Z", "deleted_at": null, "main_name": "Cyber Berkut", "aliases": [ "Kiberberkut" ], "source_name": "ETDA:Cyber Berkut", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "268479f9-6666-488e-a41e-14593ed4c2f7", "created_at": "2023-01-06T13:46:38.614508Z", "updated_at": "2026-04-10T02:00:03.039929Z", "deleted_at": null, "main_name": "Cyber Berkut", "aliases": [], "source_name": "MISPGALAXY:Cyber Berkut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "d58f7d9f-abb3-4e78-a13a-b87399fc03e5", "created_at": "2024-04-20T02:00:03.559673Z", "updated_at": "2026-04-10T02:00:03.618525Z", "deleted_at": null, "main_name": "Cyber Army of Russia Reborn", "aliases": [], "source_name": "MISPGALAXY:Cyber Army of Russia Reborn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc4eae6-3bb3-49f5-9db8-9a98e3bde1ab", "created_at": "2024-04-20T02:00:03.564963Z", "updated_at": "2026-04-10T02:00:03.61935Z", "deleted_at": null, "main_name": "People's Cyber Army of Russia", "aliases": [], "source_name": "MISPGALAXY:People's Cyber Army of Russia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05b0c294-6e79-4d58-8291-73d2c1c7d9bd", "created_at": "2024-06-25T02:00:05.048321Z", "updated_at": "2026-04-10T02:00:03.665219Z", "deleted_at": null, "main_name": "BlueHornet", "aliases": [ "APT49", "AgainstTheWest" ], "source_name": "MISPGALAXY:BlueHornet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "68d50d91-7569-4e09-b155-98b23b23918a", "created_at": "2023-01-06T13:46:38.877268Z", "updated_at": "2026-04-10T02:00:03.130232Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Nahr Elbard", "Nahr el bared" ], "source_name": "MISPGALAXY:Cold River", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c26ba56b-628e-4610-b167-1610efb08459", "created_at": "2024-02-22T02:00:03.77679Z", "updated_at": "2026-04-10T02:00:03.594516Z", "deleted_at": null, "main_name": "Cyber.Anarchy.Squad", "aliases": [ "Cyber Anarchy Squad" ], "source_name": "MISPGALAXY:Cyber.Anarchy.Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9a11c31f-ebed-4b8d-9a5a-b3c842bfe293", "created_at": "2024-09-20T02:00:04.58523Z", "updated_at": "2026-04-10T02:00:03.700883Z", "deleted_at": null, "main_name": "RaHDit", "aliases": [ "Russian Angry Hackers Did It" ], "source_name": "MISPGALAXY:RaHDit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434467, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a114239f10808165a91b6bfbb239f5ffa67ac621.pdf", "text": "https://archive.orkl.eu/a114239f10808165a91b6bfbb239f5ffa67ac621.txt", "img": "https://archive.orkl.eu/a114239f10808165a91b6bfbb239f5ffa67ac621.jpg" } }