TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: NYSIC CAU monitoring of open-source social media sites revealed the hacktivist groups Anonymous Sudan and Killnet are claiming to partner with the REvil/Sodinokibi ransomware group to target U.S. and European financial institutions. Specific social media posts name the U.S. Federal Reserve and the Society for Worldwide Interbank Financial Telecommunication (SWIFT) banking messaging system as targets. The social media post first appeared on June 14, 2023 and stated the attacks would be begin in the next 48 hours. The malicious actors state their intended purpose as “no money – no weapons – no Kyiv regime” alluding to the international support of Ukraine in fighting Russia’s invasion which began in February 2022.
NYSIC CAU Analyst Note: Cybersecurity researchers link all three groups to Russia. Anonymous Sudan and Killnet historically conducted DDOS attacks against numerous critical infrastructure targets in support of Russia’s invasion of Ukraine. The following resources can assist in dealing with a DDOS attack.
CISA DDOS Quick Guide: https://www.cisa.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies: https://www.cisa.gov/news-events/alerts/2022/10/28/joint-cisa-fbi-ms-isac-guide-responding-ddos-attacks-and-ddos-guidance-federal-agencies
FBI and International Law Enforcement Partners Intensify Efforts to Combat Illegal DDoS Attacks: https://www.fbi.gov/contact-us/field-offices/anchorage/fbi-intensify-efforts-to-combat-illegal-ddos-attacks
REvil/Sodinokibi, are known to be responsible for numerous high-profile attacks including JBS, Coop, Travelex, and Grupo Fleury. REvil’s most common TTPs include exploiting vulnerabilities such as CVE-2021-30119, deploying wiper malware, and utilizing ESXi lockers. Recent events involving REvil include their temporary shutdown in Russia with several arrests in 2022 but the group has since reconstituted and still operate. Of note, the malicious actors previously conducted attacks during U.S. Federal Holiday weekends.
CVE-2021-30119: https://nvd.nist.gov/vuln/detail/CVE-2021-30119
Trend Micro Report: hxxps://www.trendmicro[.]com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Palo Alto Report: hxxps://unit42.paloaltonetworks[.]com/ransom-cartel-ransomware/
Blackberry Blog: hxxps://blogs.blackberry[.]com/en/2019/07/threat-spotlight-sodinokibi-ransomware
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.
AA23-165A_Understanding-Ransomware-Threat-Actors-Lockbit.pdf