Friday 18th November 2022

Week 45 | 7th – 11th November 2022

Key Issue: Russian state unit Sandworm linked to Prestige ransomware compromises
Cybercriminals: Cybercriminals diversify their methods of gaining initial access
Nation-State: State groups continue to develop custom malware to evade detection
Hacktivists: Mississippi state websites briefly offline following DDoS attack


This week, we reported on an update linking a series of Prestige ransomware compromises perpetrated by DEV-0960 (also known as IRIDIUM) to the Russian nation-state unit Sandworm. Beginning on 11 October 2022, DEV-0960 compromised several transportation and logistics entities in Poland and Ukraine using a previously unidentified ransomware tracked as Prestige, which was at the time not linked to any known ransomware groups. On 10 November, researchers linked these incidents to Sandworm based on overlaps in victimology, tradecraft, and infrastructure between DEV-0960 and previous Sandworm activity. Sandworm has been particularly active since the beginning of the Russia-Ukraine war, and we have previously reported on Sandworm operations targeting Ukrainian entities across multiple sectors including telecommunications, energy, and financial services.

The victimology and impact of these attacks suggest that they were all likely conducted with the objective of causing widespread operational disruption to degrade Ukraine’s resources needed to sustain its war effort. As a sophisticated nation-state unit, Sandworm has a variety of tools and malware strains at its disposal, however the use of this new Prestige ransomware indicates that the group continues to develop their capabilities.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.