%%%%%#########%%%%%
###%%%%## &%%%
(#####%% /.. .,,,,& .%%
//((### . ...**//((... , %%
***//(( (..***//((...*#,,, %%
******* #(#./((((#......,%#( %
***** @%##....#%%%%%,,%#(( %
****// %%%%,,%%%%%%%**/(( #
*//((#* %%,%%%%%##(((( %
((####% ,((((((/
#####%%#, **
##%%%##### //**
%%%%#########%. ######((/
%%%%%#%%%%%%%%%#####
by Curated Intelligence
Ukraine-Cyber-Operations
Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. (Blog | Twitter | LinkedIn)
Analyst Comments:
- 2022-02-25
- Creation of the initial repository to help organisations in Ukraine
- 2022-02-26
- Additional resources, chronilogically ordered (h/t Orange-CD), plus a section on vetted OSINT sources and Miscellaneous resources
Threat Reports
Date | Source | Threat(s) | URL |
---|---|---|---|
14 JAN | SSU Ukraine | Website Defacements | ssu.gov.ua |
15 JAN | Microsoft | WhisperGate wiper | microsoft.com |
22 JAN | RaidForums | Data broker "vlakayla" offering Ukrainian citizens' PII (name, phone, email) | RaidForums [not linked] |
23 JAN | RaidForums | Data broker "Mont4na" offering UkrFerry | RaidForums [not linked] |
23 JAN | RaidForums | Data broker "Mont4na" offering PrivatBank | RaidForums [not linked] |
24 JAN | RaidForums | Data broker "Mont4na" offering DTEK | RaidForums [not linked] |
27 JAN | RaidForums | Data broker "an3key" offering Ministry for Communities and Territories Development of Ukraine | RaidForums [not linked] |
31 JAN | Symantec | Gamaredon/Shuckworm/PrimitiveBear (FSB) | symantec-enterprise-blogs.security.com |
2 FEB | RaidForums | Access broker "GodLevel" offering Ukrainain algricultural exchange | RaidForums [not linked] |
2 FEB | CERT-UA | UAC-0056 using SaintBot and OutSteel malware | cert.gov.ua |
3 FEB | PAN Unit42 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | unit42.paloaltonetworks.com |
4 FEB | Microsoft | Gamaredon/Shuckworm/PrimitiveBear (FSB) | microsoft.com |
8 FEB | NSFOCUS | Lorec53 | nsfocusglobal.com |
15 FEB | CERT-UA | DDoS attacks against the name server of government websites as well as Oschadbank (State Savings Bank) & Privatbank (largest commercial bank). False SMS and e-mails to create panic | cert.gov.ua |
23 FEB | UK NCSC | Sandworm/VoodooBear (GRU) | ncsc.gov.uk |
23 FEB | SentinelLabs | HermeticWiper | sentinelone.com |
24 FEB | ESET | HermeticWiper | welivesecurity.com |
24 FEB | Symantec | HermeticWiper | symantec-enterprise-blogs.security.com |
24 FEB | Cisco Talos | HermeticWiper | blog.talosintelligence.com |
24 FEB | Zscaler | HermeticWiper | zscaler.com |
24 FEB | CronUp | Data broker "FreeCvilian" offering multiple .gov.ua | twitter.com/1ZRR4H |
24 FEB | RaidForums | Data broker "Featherine" offering diia.gov.ua | RaidForums [not linked] |
24 FEB | DomainTools | Unknown scammers | twitter.com/SecuritySnacks |
25 FEB | @500mk500 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | twitter.com/500mk500 |
25 FEB | @500mk500 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | twitter.com/500mk500 |
25 FEB | Microsoft | HermeticWiper | gist.github.com |
25 FEB | 360 NetLab | DDoS (Mirai, Gafgyt, IRCbot, Ripprbot, Moobot) | blog.netlab.360.com |
25 FEB | Conti [themselves] | Conti ransomware, BazarLoader | Conti News .onion [not linked] |
25 FEB | CoomingProject [themselves] | Data Hostage Group | CoomingProject Telegram [not linked] |
25 FEB | CERT-UA | UNC1151/Ghostwriter (Belarus MoD) | CERT-UA Facebook |
25 FEB | Sekoia | UNC1151/Ghostwriter (Belarus MoD) | twitter.com/sekoia_io |
25 FEB | @jaimeblascob | UNC1151/Ghostwriter (Belarus MoD) | twitter.com/jaimeblasco |
25 FEB | RISKIQ | UNC1151/Ghostwriter (Belarus MoD) | community.riskiq.com |
25 FEB | MalwareHunterTeam | Unknown phishing | twitter.com/malwrhunterteam |
25 FEB | ESET | Unknown scammers | twitter.com/ESETresearch |
25 FEB | BitDefender | Unknown scammers | blog.bitdefender.com |
25 FEB | SSSCIP Ukraine | Unkown phishing | twitter.com/dsszzi |
25 FEB | RaidForums | Data broker "NetSec" offering FSB (likely SMTP accounts) | RaidForums [not linked] |
25 FEB | Zscaler | PartyTicket decoy ransomware | zscaler.com |
25 FEB | INCERT GIE | Cyclops Blink, HermeticWiper | linkedin.com [Login Required] |
25 FEB | Proofpoint | UNC1151/Ghostwriter (Belarus MoD) | twitter.com/threatinsight |
26 FEB | BBC Journalist | A fake Telegram account claiming to be President Zelensky is posting dubious messages | twitter.com/shayan86 |
26 FEB | CERT-UA | UNC1151/Ghostwriter (Belarus MoD) | CERT_UA Facebook |
26 FEB | MHT and TRMLabs | Unknown scammers, linked to ransomware | twitter.com/joes_mcgill |
26 FEB | US CISA | WhisperGate wiper, HermeticWiper | cisa.gov |
26 FEB | Bloomberg | Destructive malware (possibly HermeticWiper) deployed at Ukrainian Ministry of Internal Affairs & data stolen from Ukrainian telecommunications networks | bloomberg.com |
Vendor Support
Vendor | Offering | URL |
---|---|---|
Dragos | Access to Dragos service if from US/UK/ANZ and in need of ICS cybersecurity support | twitter.com/RobertMLee |
GreyNoise | Any and all Ukrainian emails registered to GreyNoise have been upgraded to VIP which includes full, uncapped enterprise access to all GreyNoise products |
twitter.com/Andrew___Morris |
Recorded Future | Providing free intelligence-driven insights, perspectives, and mitigation strategies as the situation in Ukraine evolves | recordedfuture.com |
Flashpoint | Free Access to Flashpoint’s Latest Threat Intel on Ukraine | go.flashpoint-intel.com |
ThreatABLE | A Ukraine tag for free threat intelligence feed that's more highly curated to cyber | twitter.com/threatable |
Orange | IOCs related to Russia-Ukraine 2022 conflict extracted from our Datalake Threat Intelligence platform. | github.com/Orange-Cyberdefense |
FSecure | F-Secure FREEDOME VPN is now available for free in all of Ukraine | twitter.com/FSecure |
Multiple vendors | List of vendors offering their services to Ukraine for free, put together by @chrisculling | docs.google.com/spreadsheets |
Mandiant | Free threat intelligence, webinar and guidance for defensive measures relevant to the situation in Ukraine. | mandiant.com |
Vetted OSINT Sources
Handle | Affiliation |
---|---|
@KyivIndependent | English-language journalism in Ukraine |
@KyivPost | English-language journalism in Ukraine |
@Shayan86 | BBC World News Disinformation journalist |
@Liveuamap | Live Universal Awareness Map (“Liveuamap”) independent global news and information site |
@DAlperovitch | The Alperovitch Institute for Cybersecurity Studies, Founder & Former CTO of CrowdStrike |
@COUPSURE | OSINT investigator for Centre for Information Resilience |
@netblocks | London-based Internet's Observatory |
Miscellaneous Resources
Source | URL | Content |
---|---|---|
PowerOutages.com | https://poweroutage.com/ua | Tracking PowerOutages across Ukraine |