Starting May 24, the group calling themselves \u201cCyber Spetsnaz\u201d announced the launch of a new campaign \u201cPanopticon\u201d which aimed to recruit 3,000 volunteer cyber offensive specialists willing to participate in attacks against the European Union and the Ukrainian government institutions including Ukrainian companies.<\/p>\n
Around April time, \u201cCyber Spetsnaz\u201d built one its first divisions called \u201cZarya\u201d, they looked for experienced penetration testers, OSINT specialists, and hackers:<\/p>\n
![\"\"](\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2022\/07\/Cyber-Spetsnaz-Article_html_9c0cd242e71c2356.webp\")
<\/p>\n
Around this time the group performed one of their first coordinated attacks against NATO. Prior to that, \u201cCyber Spetsnaz\u201d members have been distributing domains assigned to the NATO infrastructure, by doing so they could plan an effective attack. The actor shared a list of NATO resources and a comprehensive Excel file.<\/p>\n
![\"\"](\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2022\/07\/Cyber-Spetsnaz-Article_html_3aea28eeedf152e6.webp\")
<\/p>\n
On June 2nd, the group created a new division called \u201cSparta\u201d. The responsibility of the new division includes \u201ccyber sabotage\u201d, disruption of Internet resources, data theft and financial intelligence focused on NATO, their members and allies. Notably, \u201cSparta\u201d outlines this activity as a key priority today and confirms the newly created division is an official part of \u201cKillnet Collective\u201d group.<\/p>\n
Based on the description, the actors call themselves \u201chacktivists\u201d, however, it\u2019s not yet clear if the group has any connection to state actors. Sources interviewed by Security Affairs interpreted this activity with high levels of confidence to be state-supported. Interestingly, the name \u201cSparta\u201d (in context of the current Ukrainian war) is related to the name of a unit from the Donetsk People\u2019s Republic (DNR).<\/p>\n
![\"\"](\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2022\/07\/Cyber-Spetsnaz-Article_html_8a87c098c188c34.webp\")
<\/p>\n
Besides proprietary tools, they\u2019re leveraging MHDDoS, Blood, Karma DDoS, Hasoki, DDoS Ripper and GoldenEye scripts to generate malicious traffic on Layer 7 which may impact the availability of WEB resources.<\/p>\n
![\"\"](\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2022\/07\/Cyber-Spetsnaz-Article_html_f90374d052a3f632.webp\")
<\/p>\n
The group performed cyber-attacks against 5 logistic terminals in Italy (Sech, Trieste, TDT, Yilprort, VTP) and several major financial institutions too. \u201cPhoenix\u201d coordinated its activities with another division called \u201cRayd\u201d who previously attacked government resources in Poland including the Ministry of Foreign Affairs, Senate, Border Control and the Police. Other divisions involved in the DDoS attacks included \u201cVera\u201d, \u201cFasoninnGung\u201d, \u201cMirai\u201d, \u201cJacky\u201d, \u201cDDOS Gung\u201d and \u201cSakurajima\u201d who previously attacked multiple WEB-resources in Germany.<\/p>\n
According to Resecurity, such hacktivist campaigns typically have the goal to orchestrate certain information operations rather than a real cyber-attack that disrupts networks or the availability of critical resources. Cybersecurity specialists should be especially careful with attribution, as in some cases such activity leads to provocations and purposely generated operations.<\/p>\n
Based on the observed victims and close collaboration with several impacted organizations, the attacks primarily focused on the exploitation of poorly configured WEB servers and short-term disruptions. Proper hardening and implementation of WAF, along with DDoS protection may preemptively resolve the issue, as the total network attack pool of unique sources may be exhausted relatively quickly. The logged sources of attacks showed how the attackers are actively using spoofed IP addresses and the deployment of tools on compromised IoT devices and hacked WEB resources.<\/p>\n