Tuesday 13th June 2023

CTI Weekly: Deep Fake Video of Putin Address and Cyber Threats Amidst Ukrainian Counter-Offensive, State-Linked Malware, Ransomware Campaigns, and Banking Security Concerns

Key Issue:

Broadcast of deep fake Putin speech coincides with Ukrainian offensive

A deep fake video of Putin addressing the nation was broadcasted in several regions of Russia, coinciding with the alleged beginning of the Ukrainian counter-offensive. The broadcast was the result of compromised TV and radio networks. The fake Putin claimed that Ukrainian forces had invaded Russian regions, leading to a general mobilization and declaration of martial law in those areas.

While the source of the broadcast is unconfirmed, it is believed to originate from Ukraine and follows the tactics previously used by Ukrainian hacktivists. This incident has significant implications. It is expected that more cyber activities related to the conflict will occur, aiming to disrupt Russia’s domestic information and amplify fears among the Russian population.

Furthermore, the Ukrainian counter-offensive may trigger retaliatory actions from Russia in cyberspace, including pro-Russian hacktivist activity and direct disruptive operations by Russian nation-state groups. Russia may also target Western entities that support Ukraine’s offensive. The use of Western-supplied arms in the conflict has increased Russian hostility towards these states. Therefore, it is likely that sophisticated Russian threat actors will target related Western entities.

Other news:


Researchers have discovered a new state-linked malware named PowerDrop used to target entities in the American aerospace defence industry.


The Clop ransomware gang has admitted responsibility for the recent data theft campaigns using the MOVEit Transfer software. They exploited a zero-day vulnerability to breach servers of multiple companies and steal data.

In a separate incident, researchers have discovered a malicious campaign in Korea using LockBit’s 2.0 payload in documents to target individuals.

The Royal ransomware gang has been associated with a new encryptor called BlackSuit, which bears similarities to their typical encryption method.


Financial Services

A campaign called Operation CMDStealer is actively targeting Spanish and Portuguese speakers, with the goal of obtaining online banking credentials. The campaign utilizes tactics like LOLBaS (Living Off the Land by Abusing Scripts) and CMD-based scripts.

In a related incident, the Spanish bank Globalcaja has been included on Play Ransomware’s data leak site. This highlights the ongoing interest of cybercriminal groups and ransomware operators in targeting traditional banks.

Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.