A new worm that spreads via USB sticks is infecting computers in Ukraine and beyond.

The group­—known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm—has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn’t care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.

One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command-and-control servers.

Enlarge / Starlink satellite dish seen on September 25, 2022, in Izyum, Kharkiv region, amid the Russian invasion of Ukraine. (credit: Getty Images | Yasuyoshi Chiba)

Elon Musk ordered SpaceX engineers to temporarily disable Starlink in order to thwart a Ukrainian submarine drone attack on the Russian naval fleet last year, according to a report based on a new biography of Musk. The book provides more details on a previously reported incident.

A CNN exclusive report today said, "Elon Musk secretly ordered his engineers to turn off his company's Starlink satellite communications network near the Crimean coast last year to disrupt a Ukrainian sneak attack on the Russian naval fleet, according to an excerpt adapted from Walter Isaacson's new biography of the eccentric billionaire titled 'Elon Musk.'"

"As Ukrainian submarine drones strapped with explosives approached the Russian fleet, they 'lost connectivity and washed ashore harmlessly,' Isaacson writes," the CNN report said. Ukrainian officials reportedly begged Musk to turn satellite service in the area back on.

Read 20 remaining paragraphs | Comments

Enlarge / Ukrainian medics of the battalion "Da Vinci Wolves" and "Ulf" paramedical unit transfer a wounded Ukrainian soldier to a stabilization point on the Bakhmut front as the Russia-Ukraine war continues on April 6, 2023. (credit: Getty | Diego Herrera Carcedo/Anadolu Agency )

Russia's invasion of Ukraine is fueling a dangerous rise in bacterial drug resistance—an alarming reality made clear by a recent case report of an injured Ukrainian soldier who became infected with six different extensively drug-resistant bacteria, one of which was resistant to every antibiotic tested.

Health experts are sounding the alarm that the nearly unbeatable germs will likely spread beyond the war-torn country's borders. "Given the forced migration of the population, multidrug resistance of wound pathogens is now a problem not only for Ukraine but also for healthcare systems around the world, especially in the EU," Ukrainian scientists and doctors wrote in a recent letter in the Irish Journal of Medical Scientists.

The rise of antibiotic resistance is a long-standing, critical threat to global public health. In 2019, antimicrobial resistance was directly responsible for an estimated 1.27 million deaths worldwide and linked to an estimated 4.95 million total, according to an analysis published last year in the Lancet .

Read 7 remaining paragraphs | Comments

Enlarge / Locked out. (credit: Sean Gladwell / Getty Images )

Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.

The campaign, which also targets officials of European nations, uses malicious JavaScript that’s customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said. The threat actor—which Proofpoint has tracked since 2021 under the name TA473—employs sustained reconnaissance and painstaking research to ensure the scripts steal targets’ usernames, passwords, and other sensitive login credentials as intended on each publicly exposed webmail portal being targeted.

Tenacious targeting

“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” Proofpoint threat researcher Michael Raggi wrote in an email. “Since late 2022, TA473 has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”

Read 10 remaining paragraphs | Comments

They’re using commercial phones, which go through the Ukrainian telecom network :

“You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”

[…]

“Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

“But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:

The hackers pretended to be a “community of free people around the world who are fighting russia’s aggression”—much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard . To add more credibility to the ruse they hosted the app on a domain “spoofing” the Azov Regiment: cyberazov[.]com.

[…]

The app actually didn’t DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.

[…]

Google said the fake app wasn’t hosted on the Play Store, and that the number of installs “was miniscule.”

Details from Google’s Threat Analysis Group here .

Microsoft has a comprehensive report on the dozens of cyberattacks — and even more espionage operations — Russia has conducted against Ukraine as part of this war:

At least six Russian Advanced Persistent Threat (APT) actors and other unattributed threats, have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea. It is unclear whether computer network operators and physical forces are just independently pursuing a common set of priorities or actively coordinating. However, collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.

[…]

Threat groups with known or suspected ties to the GRU have continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week since the eve of invasion. From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine.