Monday 3rd July 2023

CTI Weekly: Threat actors claiming to be affiliated with PMC Wagner target Russian entities

Key Issue:

Threat actors claiming to be affiliated with PMC Wagner target Russian entities.

Two cyber incidents linked to Russian state-funded paramilitary organization PMC Wagner were reported. In the first incident, threat actors claiming affiliation with PMC Wagner disrupted Russian satellite communications provider Dozor-Teleport, taking customer terminals offline and wiping information from servers.

In the second incident, a ransomware campaign labelled ‘Wagner’ targeted Russian entities, urging victims to join PMC Wagner and fight against Russia’s Defense Minister.

While the incidents are not connected, they share a motive of spreading messages of rebellion in Russia. The affiliation of the threat actors with PMC Wagner is unconfirmed, and it is unclear if these cyber operations represent a departure from the group’s usual activities.

There is also a possibility that the incidents are false flag operations by pro-Ukrainian actors seeking to cause confusion. Given the evolving political situation in Russia, monitoring of threat actors claiming affiliation with PMC Wagner will continue.

Other news:

MOVEit Data Theft Campaign

The Clop ransomware gang continues to list companies compromised during the MOVEit data theft campaign to their leak site. The total number of companies listed on their website stands at 88 as of 30 June 2023


Law Enforcement Activity

On June 23, 2023, the FBI took control of the BreachForums domain, which was previously operated by Milomir Desnica. Desnica, the accused website administrator, was arrested in the United States over three months ago.


The US Department of Justice has successfully extradited Desnica to face charges related to his involvement in operating Monopoly Market. He is accused of facilitating illegal drug transactions amounting to $18 million through his website.

Critical National Infrastructure

Canadian oil giant Suncor disclosed they had suffered a cyber incident resulting in widespread outages, one week after Canadian intelligence warned of the Russian threat to the oil and gas sector.

Unique Extortion Methods

Following a data breach at the University of Manchester, individuals affected, including students and employees, are receiving threatening emails from the threat actor involved.

This forms part of a triple extortion data theft campaign. The ALPHV Ransomware-as-a-Service group has now targeted Beverly Hills Plastic Surgery, adding it to their data leak site. They are threatening to release stolen intimate photos of patients unless the clinic pays their ransom demands.

Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.