UK police are investigating a cyberattack that disrupted Wi-Fi networks at several train stations across the country.

U.K. transport officials and police are investigating a cyber attack on public Wi-Fi networks at the country’s biggest railway stations. Following the ‘cyber-security incident,’ passengers trying to log onto the Wi-Fi at several stations on Wednesday evening were displayed a page with the message “We love you, Europe,” followed by an anti-Islam message listing a series of terror attacks.

The police confirmed they are investigating reports of “Islamophobic messaging on some Network Rail Wi-Fi services.”

The Wi-Fi networks at 19 stations, including Manchester Piccadilly, London Euston, Manchester Piccadilly, Liverpool Lime Street, Birmingham New Street, Glasgow Central and several London terminuses.

Network Rail, which oversees the stations affected by the cyberattack, confirmed that the Wi-Fi service had been disabled as a precaution. Network Rail also confirmed that no passenger data was compromised following the cyber attack.

“British Transport Police are investigating the incident,” Network Rail said in a . “This service is provided via a third party and has been suspended while an investigation is under way.”

Network Rail’s wifi system is run by a third-party company, Telent, with the actual internet service provided by another company, Global Reach.

“Telent can confirm that the incident was an act of cyber vandalism which originated from within the Global Reach network and was not a result of a network security breach or a technical failure.“ reads a issued by Telent following investigations with Global Reach.

“The aim is to restore public Wi-Fi services by the weekend,” Telent added.

“The rail provider said it believed other organisations, not just railway stations, had been affected.” the BBC.

“This service is provided via a third party and has been suspended while an investigation is under way,” a Network Rail spokesperson said.

In early September, Transport for London (TFL) a cyberattack that exposed some customer names, contact details, and possibly bank account information.

 (TfL) is a local government body responsible for most of the transport network in London, United Kingdom.

The National Crime Agency investigated the security breach and the UK police a 17-year-old from Walsall who is allegedly linked to the cyberattack. The attack has continued to disrupt TFL’s online services, affecting functions like refunds and real-time transit information.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Wi-Fi networks)

Hacktivist group Twelve is back and targets Russian entities to destroy critical assets and disrupt their operations.

The hacktivist group Twelve has been active since at least April 2023, it was formed in the wake of the conflict between Russia and Ukraine.

The threat actor focuses on destroying critical assets, disrupting target business, and stealing sensitive data.

In spring 2024, the Telegram channel -=TWELVE=- was blocked for posting personal data in violation of Telegram’s terms. Although the hacktivist group disappeared for several months, in June 2024, Kaspersky observed an attack using identical techniques and C2 servers, suggesting that the Twelve group is still active and likely to reemerge soon.

Interestingly, the group’s infrastructure and TTPs are the same as the DARKSTAR ransomware group, formerly known as Shadow or COMET, which suggests that the two actors might belong to the same syndicate or activity cluster. However, the motivation behind Twelve’s operations is the hacktivism.

The group targets Russian entities, it encrypts victims’ data without demanding a ransom and then destroy their infrastructure with a wiper to destroy its operations.

The group relies on publicly available tools and malware, making it possible to detect and prevent Twelve’s attacks in due time. In the arsenal of the group, there are tools for credential theft, network discovery, and privilege escalation. Some of the tools used by the group are Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner and PsExec.

The threat actor gains initial access by abusing valid local or domain accounts, VPN or SSH certificates. Then the threat actor relies on the Remote Desktop Protocol (RDP) to facilitate lateral movement.

The attackers also compromised the victim’s infrastructure targeting some of its contractors. Once compromised the contractor’s infrastructure, the attackers used its certificate to connect to its customer’s VPN.

The Twelve group deploys web shells to the compromised web servers to carry out malicious activities, including executing arbitrary commands, lateral movements, data exfiltration, and creating and sending email.

Kaspersky investigated an attack involving the FaceFish backdoor, attackers exploited the VMware vCenter server flaws  and  to deploy the webshell used to load their implant.

The group maintains persistence using PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects.

“Twelve is mainly driven by hacktivism rather than financial gain. This shows in their modus operandi: rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery. The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit.” the report.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Twelve group)

A group of hacktivist known as Head Mare took advantage of the recent CVE-2023-38831 WinRAR flaw in attacks against organizations in Russia and Belarus.

Kaspersky researchers reported that a hacktivist group known as Head Mare exploited recently disclosed WinRAR flaw  in attacks against organizations in Russia and Belarus.

Head Mare has been active since at least 2023 exclusively targeting companies in Russia and Belarus. The group announced its victims on X and also leaked internal documents stolen during attacks on the same social network.

The group relies on modern techniques for gaining initial access to systems. Kaspersky reported that they exploited the CVE-2023-38831 WinRAR vulnerability in WinRAR, which could lead to arbitrary code execution by tricking the victims into opening a specially crafted archive.

Head Mare has targeted nine victims across various industries, including government institutions, transportation, energy, manufacturing, and entertainment. Their primary purpose appears to be causing significant damage to companies in Russia and Belarus. Unlike some hacktivist groups, Head Mare also encrypts victim data and demands.

Below is a list of software employed by the group in its attacks:

• ;
• ;
• PhantomDL;
• PhantomCore;
• Sliver;
• ngrok;
• rsockstun;
• XenAllPasswordPro;
• Mimikatz.

“In their attacks, Head Mare mainly uses publicly available software, which is typical of most hacktivist groups targeting Russian companies in the context of the Russo-Ukrainian conflict.” reads the published by Kaspersky. “However, while some hacktivists have no proprietary developments in their toolkit at all, Head Mare uses their custom malware PhantomDL and PhantomCore in phishing emails for initial access and exploitation.”

After execution, the malware tools PhantomDL and PhantomCore connected to the attackers’ C2 servers to identify the domain of the infected host. Attackers distributed the two malware via phishing campaigns in the form of business documents that had double extensions (i.e., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe).

Dynamic analysis in Kaspersky Sandbox shows that PhantomDL connects to a specific C2 server, while PhantomCore connects to different C2 servers and checks the host’s domain. Although some PhantomDL and PhantomCore samples were found, it’s uncertain if they belong to the same activity cluster as those used in Head Mare’s attacks.

The hacktivists used several methods to maintain persistence in the system, including a Windows registry keys and scheduled tasks. 

The researchers also observed the group using the open-source C2 framework Sliver. The framework was used to manage compromised systems allowing attackers to carry out malicious activities such as executing commands, managing connections, and gathering data.

The last stage of the attacks consist in deploying either LockBit or Babuk depending on the target infrastructure.

“The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict.” concludes the report. “However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns. This is an important aspect that Russian and Belarusian organizations should pay attention to: attackers are evolving and improving their TTPs.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, hacktivist)

The US government sanctioned two Russian hacktivists for their cyberattacks targeting critical infrastructure, including breaches of water facilities.

The United States sanctioned Russian hacktivists Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, members of the Russian hacktivist group (CARR), for their roles in cyber operations against U.S. critical infrastructure.

The US authorities identified Pankratova as the group leader, while Degtyarenko is a primary hacker.

Since 2022, the Cyber Army of Russia Reborn (CARR) has launched a series of low-impact DDoS attacks against entities in Ukraine and other countries that offered support to Ukraine. In late 2023, CARR claimed attacks on industrial control systems in the U.S. and Europe, affecting water, hydroelectric, wastewater, and energy facilities. In January 2024, CARR caused water tank overflows in Texas and compromised a U.S. energy company’s SCADA system. Despite gaining temporary control, CARR’s limited hacking capabilities prevented major damage.

“In January 2024, CARR claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas, posting video of the manipulation of human-machine interfaces at each facility on a public forum.” reads the published by the US Treasury. “The compromise of the industrial control systems resulted in the loss of tens of thousands of gallons of water. Additionally, CARR compromised the supervisory control and data acquisition (SCADA) system of a U.S. energy company, giving them control over the alarms and pumps for tanks in that system.”

As a result of the sanctions, all property and interests of the designated individuals in the U.S. or controlled by U.S. persons are blocked and must be reported to OFAC. The US government also blocked entities owned 50% or more by these individuals. Transactions involving these individuals’ property are generally prohibited unless authorized by OFAC. Financial institutions and others involved with the sanctioned individuals may face sanctions or enforcement actions. The sanctions also prohibit other activities that the duo can conduct, such as providing or receiving funds, goods, or services to or from the designated persons.

“CARR and its members’ efforts to target our critical infrastructure represent an unacceptable threat to our citizens and our communities, with potentially dangerous consequences,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States has and will continue to take action, using our full range of tools, to hold accountable these and other individuals for their malicious cyber activities.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, critical infrastructure)

A cyber attack started targeting the University Hospital Centre Zagreb (KBC Zagreb) on Wednesday night, reported the Croatian Radiotelevision.

A cyber attack began targeting the University Hospital Centre Zagreb (KBC Zagreb), the largest Croatian hospital, on Wednesday night, according to a report by Croatian Radiotelevision.

The hospital has shut down its IT infrastructure in response to the cyber attack.

Milivoj Novak, assistant director of health care quality and supervision of KBC Zagreb, said in tonight’s show “Otvoreno” that the shutdown of the IT system took the hospital back 50 years – to paper and pencil. It’s unclear if the hospital was victim of a ransomware attack.

Later Novak said in a press conference that all the services, including the hospital’s emergency service and medical laboratories, were fully recovered.

However, the temporary impossibility of printing out medical reports and staff having to write them by hand caused significant delays. It’s also confirmed that some patients will be redirected to other hospitals.

Initial investigation confirmed that patients’ medical records were not exfiltrated.

The hospital did not reveal the type of attack that hit its systems, however, HelpnetSecurity that this week a series of DDoS attacks targeted the websites of several Croatian government and financial institutions, including the Ministry of Finance, the Tax Administration, the Croatian National Bank, the Economic Bank of Zagreb, and the Zagreb Stock Exchange.

The pro-Russia group claimed responsibility for the attack but declared that the collective is not involved in attacks on Croatian medical facilities.

“We are not involved in attacking medical facilities in Croatia or any other country. We have a principle of not touching medical facilities. We are at war with russophobic authorities, not civilians!”

“And the fact that Croatian officials can’t protect their internet infrastructure in the medical field, but find money to sponsor the banderaites, should really raise questions from Croatian citizens to their russophobic government.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, University Hospital Centre Zagreb)

Resecurity warns of a surge in malicious cyber activity targeting the election in India, orchestrated by several independent hacktivist groups

Resecurity a spike of malicious cyber activity targeting the election in India, which is supported by multiple independent hacktivist groups who arrange cyber-attacks and publication of stolen personal identifiable information (PII) belonging to Indian citizens on the Dark Web.

India, with a population of over 1.4 billion and a GDP of over 3.417 trillion USD, has become a prime target for cyberattacks during its general elections scheduled between 19 April and 1 June 2024.

Multiple independent hacktivist groups are targeting India’s elections with influence and public opinion manipulation campaigns, Resecurity reports. The campaigns are designed to sway voters’ opinions and undermine trust in the democratic process. Attackers have also defaced websites and leaked data to launch influence campaigns against India’s government leaders, said researchers.

Around 16 different independent hacktivist groups are targeting Indian elections, including Anon Black Flag Indonesia, Anonymous Bangladesh, and Morocco Black Cyber Army, among others.

“These 16 groups have targeted multiple law enforcement, government, healthcare, financial, educational, and private sector organizations in India, taking advantage of geopolitical narratives before recent elections,” researchers noted.

Resecurity observed that the Ahadun-Ahad 2.0 Team has published Indian Voter ID cards on Telegram, which are issued by the Election Commission of India to 18+ individuals domiciled in India. The source of the data is unclear, but they suspect it is linked to compromised third-party entities. Earlier, cybercriminals have stolen AADHAAR, PAN, driving licenses, and NOC documents from the Dark Web, including 36 GB of personally identifiable information (PII) belonging to Indian citizens.

The data, primarily in graphic form with victims’ selfies, could be used to spread false information, undermine trust in the electoral process, and profit from selling stolen information on the dark web. Resecurity alerted law enforcement and federal authorities to the leaked data.

Besides graphical data files, including voter registration records and credentials from Voter Portal, the actors also leaked large data sets containing voters’ credentials collected using infostealers. Such malware programs, including , , , , and , are designed to steal sensitive information such as login credentials and financial data. Specific signatures identified in leaked data sets may confirm that they originate not from any vulnerable election systems, but likely from compromised consumers with malicious code. The compromised credentials could have been obtained by intercepting login forms on popular Internet browsers or by accessing password storage on compromised devices. At some point, threat actors were aiming to leak a big number of voters’ records to create a perception that elections systems are vulnerable. In fact, the origin of these credentials is on the consumer side, as many Internet users are getting infected with malware due to poor network hygiene and lack of cybersecurity awareness.

Researchers also observed public opinion manipulation campaigns targeting Indian government leaders, using data leaks, website defacements, and political narratives. These ‘cyber-guerilla’ tactics blur attribution and operate under the ‘false flag’ of independent hacktivists aiming to create social conflict between Indian and Muslim populations.

Resecurity has summarized the key risk indicators of malicious activity to increase cybersecurity awareness among Indian citizens, encouraging them not to react to any claims or narratives originating from unreliable sources planted by cybercriminals, which could affect their votes.

The full report is available here:

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, India)

Pro-Russia hackers targeted government websites in Kosovo in retaliation for the government’s support to Ukraine with military equipment.

Pro-Russia hackers targeted Kosovo government websites, including the websites of the president and prime minister, with DDoS attacks. The attacks are a retaliation for Kosovo’s support of Ukraine with military equipment. Defense Minister Ejup Maqedonci claimed that Russian hackers launched a cyberattack against Kosovo in retaliation for his statement supporting Ukraine at the Defence 24 conference in Poland.

The attacks caused temporary disruption, however, the government’s Information Society Agency restored the websites. The attack is part of a hybrid war aimed at destabilizing Kosovo’s security, stability, and welfare institutions, Prime Minister Albin Kurti told local media.

“We were informed by the relevant institutions that some government websites have been the target of DDoS attacks. For a short time the websites were not functioning,” a Government spokesperson .

“The attack was carried out by Russian hackers in retaliation for our support of Ukraine with military equipment,”

Foreign Minister Donika Gervalla-Schwarz announced on Tuesday that Kosovo was under a hybrid attack from Russia, following Kosovo’s announcement of support for Ukraine’s defense against Russian aggression.

Russia and Pro-Russia groups have targeted in the past multiple European governments that expressed their support to Ukraine.

NATO and the European Union early this month cyber espionage operations carried out by the Russia-linked threat actor  (aka “”, “” or “”) against European countries.

The German Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.

In March 2024, the Moldovan national intelligence agency of hybrid attacks from Russia ahead of the upcoming elections.

Since the beginning of the Russian invasion of Ukraine, pro-Russia threat actors hit Moldava due to its support to Kiev.

The Pro-Russia group group  multiple DDoS attacks against governments that expressed support for Ukraine, including Moldova, Italy, Romania, the Czech Republic, Lithuania, Norway, and Latvia.

In October 2022, another wave of attacks targeted tens of Moldovan institutions with distributed denial-of-service (DDoS) attacks.

In October 2023, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information)  that the Russia-linked  group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.

The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of low-risk equipment monitored and located at the edge of the target networks. The Government experts pointed out that in some cases the group did not deploy any backdoor in the compromised systems.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Kosovo)

Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) published a joint advisory to warn of pro-Russia hacktivist groups organizations in North America and Europe.

The attacks focus on industrial control systems (ICS) and other operational technology (OT) systems in the target infrastructure.

Pro-Russia hacktivists have been targeting and compromising small-scale Operational Technology (OT) systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture Sectors. They aim to exploit modular, internet-exposed Industrial Control Systems (ICS), targeting software components like human machine interfaces (HMIs). The threat actors were observed using methods such as exploiting virtual network computing (VNC) remote access software and default passwords.

The malicious activity began in 2022 and is still ongoing. The government agencies urge OT operators in critical infrastructure sectors to implement a set of mitigations provided in the advisory.

“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.” reads the . “Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.”

The pro-Russia hacktivists tend to over exaggerate their the effects of the attacks. Since 2022, they have claimed on social platforms to have carried out disruptive cyber operations, including distributed denial of service and data wiping against numerous North American and international entities. However, reports from victims downplayed the effects of the attacks.

In early 2024, several U.S.-based water and wastewater systems (WWS) victims faced limited physical disruptions after attackers hacked into their Human Machine Interfaces (HMIs). The hacktivists altered settings, exceeded normal operating parameters of water pumps and blower equipment, disabled alarm mechanisms, and changed administrative passwords to lock out operators.

“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.” concludes the advisory.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, critical infrastructure)

A Belarusian group of activist group claims to have infiltrated the network of the country’s main KGB agency.

The Belarusian hacktivist group Cyber-Partisans claims to have infiltrated the network of the country’s main KGB security agency. The hackers had access to personnel files of over 8,600 employees.

On Friday, the website of the Belarusian KGB showed an empty page that displayed the message “in the process of development”.

The Cyber-Partisans group published on its Telegram channel a series of documents as proof of the hack, including the list of the website’s administrators, the underlying database, and server logs.

“Cyberpartisans and the mystery of the broken KGB website

The official website of the KGB of the Republic of Belarus has not been working for more than 2 months. And all because the Cyber Partisans got there in the fall of 2023 and pumped out all the available information.

Alas, we made a little noise and had to close the site. We are posting a list of admins as proof. See the site database and server logs in a separate post below.” reads the message published by the group on Telegram.

The Cyber-Partisans coordinator Yuliana Shametavets The Associated Press that the attack on the KGB “was a response” to the agency’s chief Ivan Tertel, who accused the group of preparing attacks on the Belarus’ critical infrastructure, including a nuclear power plant. The group remarked that the target of its attacks are not Belarusians but the county government.

“KGB PROVOKATION: Cyber partisans are planning attacks on a nuclear power plant.” below the message published by the group on Telegram

“We don’t plan to. And we never planned. Because we work to save the lives of Belarusians, not to destroy them. Unlike the Lukashenko regime. But we have already said that in general an attack on the BelNPP is technically possible. While there is a dictator in power, under whom they would rather switch to pieces of paper than provide normal protection against cyber attacks.”

“The KGB is carrying out the largest political repressions in the history of the country and must answer for it,” Shametavets said. “We work to save the lives of Belarusians, and not to destroy them, like the repressive Belarusian special services do.”

Shametavets confirmed that the Cyber-Partisans group exfiltrated the personal files of more than 8,600 KGB employees.

Cyber-Partisans also launched Telegram chatbot that would allow citizens to unmask KGB operatives by uploading their photos.

“We publish interesting entries from the database of citizens’ appeals to the KGB of the Republic of Belarus.” reads another message posted on Telegram. “We even identified some informers for you.

Denunciations from citizens of Poland, Germany, Azerbaijan against Belarusians.
Denunciation of citizens of Lithuania and Ukraine against their compatriots for supporting the Armed Forces of Ukraine.
Complaints about Cyber Partisans, the Black Card of the Occupiers, etc.”

The Belarus Cyber-Partisans is a hacktivist group that has been active since 2020. Formed in the wake of the disputed 2020 election and subsequent crackdown on protests, the Cyber-Partisans target Belarusian government institutions.

The Cyber-Partisans group has conducted numerous attacks on Belarusian state media over the past four years. In 2022, they targeted multiple times, seizing control of its traffic lights and control system. This action disrupted the transit of Russian military equipment into Ukraine via Belarus.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Belarus)

Ukraine’s security service (SBU) detained an alleged member of the pro-Russia hacker group “the Cyber Army of Russia.”

Ukraine’s security service, the SBU,  that it has identified and detained an alleged member of the pro-Russia hacker group known as the . The news was first by The Record Media. The hacktivists group is known for having launched DDoS attacks against Western organizations and Ukrainian government agencies. However, Ukrainian intelligence speculates that the group’s operations are directly controlled by the Kremlin.

The SBU revealed that the man was living in the city of Kharkiv (Ukraine) and was recruited by Russian intelligence via Telegram.

Police searched the man’s apartment and seized three mobile phones, a laptop, and a flash drive containing information that would substantiate the allegations.

Apart from conducting DDoS attacks, the man is suspected of disclosing strategic information to Russian intelligence. The information secretly provided to Moscow includes military secrets such as the locations of Ukrainian troops and military weaponry in the country.

Russian military used this information to coordinate recent missile strikes. If found guilty, the man could face up to 12 years in prison.

In early December, Ukraine’s SBU they shut down two surveillance cameras that were allegedly hacked by the Russian intelligence services to spy on air defense forces and critical infrastructure in Kyiv.

The surveillance cameras were located in residential buildings and were used to monitor the surrounding area and a parking lot. Once the state-sponsored hackers hacked the cameras, they used them to spy on the air defense and critical infrastructure in the same area. The camera used to monitor the parking lot was used to spy on the surrounding territory, including critical infrastructure facilities

The hackers changed the viewing angle and connected the cameras to the YouTube streaming platform.

The footage was used by the Russian army to support the missile strike on Kyiv on January 2.

Since the beginning of the Russian invasion of Ukraine, the SBU has disabled about 10,000 IR cameras, which the Russian army could use to adjust missile attacks on Ukraine.

The SBU calls to owners of surveillance cameras to stop online broadcasts from their devices, the agency also urges citizens to report detected footage from such cameras.

In October 2023, the SBU  a Ukrainian man who had installed cameras on the streets of his city and passed information on Ukrainian military movements to Russian intelligence.

In March 2022, the SBU a hacker who provided technical support to Russian troops during the invasion, the man provided mobile communication services inside the Ukrainian territory.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, SBU)