The FBI, NSA, and CISA warned that Russian state-sponsored intrusions will continue.

The document, part of a cache of leaks recently circulated on the internet, suggests the hackers had the ability to cause an explosion and sought instruction from the FSB.

In recent days, the US Justice Department and Pentagon have begun investigating an apparent online leak of sensitive documents, including some that were marked “Top Secret”. A portion of the documents, which have since been widely covered by the news media, focused on Russia’s invasion of Ukraine, while others detailed analysis of potential UK policies on the South China Sea and the activities of a Houthi figure in Yemen. The existence of the documents was first reported by the New York Times after a number of Russian Telegram channels shared five photographed files relating to the invasion of Ukraine on April 5 – at least one of which has since been found by Bellingcat to be crudely edited.

SentinelLabs uncover a previously unknown set of espionage campaigns conducted by Winter Vivern advanced persistent threat (APT) group.

An investigation into the FSB’s digital surveillance and disinformation contractor

* Exfiltrated Russian-written documents provide insights into cyber offensive tool projects contracted by Vulkan private firm for the Russian Ministry of Defense. * Scan-AS is a database used to map adversary networks in parallel or prior to cyber operations. Scan-AS is a subsystem of a wider management system used to conduct, manage and capitalize results of cyber operations. * Amezit is an information system aimed at managing the information flow on a limited geographical area. It allows communications interception, analysis and modification, and can create wide information campaigns through social media, email, altered websites or phone networks.

* Proofpoint has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern. * TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe. * TA473 recons and reverse engineers bespoke JavaScript payloads designed for each government targets’ webmail portal. * Proofpoint concurs with Sentinel One analysis that TA473 targeting superficially aligns with the support of Russian and/or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.

Vulkan engineers have worked for Russian military and intelligence agencies to support hacking operations, prepare for attacks on infrastructure and spread disinformation

Postal service has been unable to send letters and parcels overseas since Wednesday due to hacking Royal Mail has been hit by a ransomware attack by a criminal group, which has threatened to publish the stolen information online. The postal service has received a ransom note purporting to be from LockBit, a hacker group widely thought to have close links to Russia.

In the name of Russia's war in Ukraine, NoName057(16) abuses GitHub and Telegram in an ongoing campaign to disrupt NATO's critical infrastructure.

As we report more fully below, in the wake of Russian battlefield losses to Ukraine this fall, Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support, domestic and foreign. This approach has included destructive missile and cyber strikes on civilian infrastructure in Ukraine, cyberattacks on Ukrainian and now foreign-based supply chains, and cyber-enabled influence operations[1]—intended to undermine US, EU, and NATO political support for Ukraine, and to shake the confidence and determination of Ukrainian citizens.

TAG highlights four case studies involving Russian IO tied to the Internet Research Agency and Russian oligarch Yevgeny Prigozhin.