Synopsis

1. After a slow Christmas season, Ukrainian hackers target Russian businesses, deleting data and backups. Russia’s NoName ‘DDoS’ hacker group is almost as busy. People’s Republic of China hackers get caught in the U.S. Treasury Department. President Trump pardons the creator of the ‘Silk Road’ black market website.

2. It is our assessment that the three major cyber conflicts, (Russia vs Ukraine, Iran vs Israel, and the People’s Republic of China) are the most likely sources for the creation of next generation malware and/or a primary source of cyber attacks. This includes government funded hackers (military, intelligence and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer ‘supporters’.

Russia vs Ukraine

3. Russia: Russia’s government hackers remain largely inactive or undetected, apart from a new campaign against Kazakhstan (see sub-para D.) Russia’s unpaid allied groups, in particular ‘NoName057(16)’, have been busy. Some of their attacks have had an unusually long duration.

A. On 9th January, cybersecurity company Trend Micro warned that at least forty-six Japanese organizations, including government agencies, banks, and a telecommunications company, had been hit by Distributed Denial of Service (DDoS) attacks. “The Japan Weather Association said on Thursday it was hit by a cyberattack that rendered its information website inaccessible for over nine hours. … According to Trend Micro, the hackers are believed to have used a botnet, or a network of computers and other internet-connected devices infected by malware used to carry out the attacks.”2

B. We assess that this was an attack by NoName057(16), a Russian ‘patriotic hacker group, possibly including allies, that utilized Russia’s ‘DDoSia’ Distributed Denial of Service Malware. The attacks on Japanese organizations are notable because the attacks on the country have been sustained over three weeks, significantly longer than typical NoName attacks.

C. Noname057(16) claimed responsibility for a wave of DDoS attacks on Italian targets. Targets started with banks and ports, moving on to ten government sites, public transport sites and two airports. Some attacks were claimed by ‘the Palestinian Alixsec’. The attacks followed an announcement by the Italian Prime Minister affirming “complete and constant support to Ukraine. … Italy will help Ukraine defend its interests and pursue a fair and long-lasting peace.”

D. On the 14th of January, a cyber espionage campaign was identified against Kazakhstan. The attackers were attributed to ATP 28 / UAC-0063, hackers within Russia’s General Staff Main Intelligence Directorate (GRU). French cybersecurity company ‘Sekoia’ said: “UAC-0063 targeting suggests a focus on intelligence collection in sectors such as government, including diplomacy, NGOs, academia, energy, and defence, with a geographic focus on Ukraine, Central Asia, and Eastern Europe.”3 The attacks are ‘phishing attacks’ based on legitimate Microsoft Office documents.

E. On the 16th of January, “universities and colleges in the southern Netherlands were hit Thursday by a new Distributed Denial-of-Service (DDoS) attack targeting their shared network. Educational institutions in other parts of the country also experienced disruptions.”4 The attack was described as “a large-scale DDoS attack on the network of SURF, the ict (common internet platform) platform to which many educational institutions are affiliated.”5 No damage and only a few disruptions in service were reported.

F. On 21st January, there were two announcements of DDoS attacks attributed to Russian affiliated hacker groups. Starting on the 16th, the Greek government observed attacks on the central public sector network against gov.gr (Greek government) domains. This was followed by more attacks on the same domains on the 17th and a short duration attack on the 19th. No data breaches were reported.6 The websites of several Swiss municipalities and banks were DDoSed on Tuesday the 21st. The Swiss cyber security office said: “The Russian hacker group NoName is believed to be responsible for … DDoS attacks … affecting the cantonal banks of Zurich and Vaud, as well as the Lucerne municipalities of Adligenswil, Kriens and Ebikon.”7 The attacks are assessed as an effort to get attention during the annual Davos forum.

4. Ukraine: There is evidence that Ukraine’s Cyber IT Army is running a targeted campaign against Russian industry. Different groups have claimed responsibility however the pattern of the attacks is highly consistent. The exception is the attack against Slovakia which appears to be a conventional DDoS attack. It’s possible this is an outside, but loosely allied, hacker group. (Sub-para B and C).

A. On 6th January, Russian internet service provider ‘Nodex’, confirmed a cyber attack that led to “a “complete failure” of Nodex’s infrastructure”. The Ukrainian Cyber Alliance claimed responsibility for the attack. Nodex services were shut down. Nodex said: “ ‘The network has been destroyed. We are raising it from backup copies,’ a spokesperson from Nodex stated. The impact of the attack was severe, with the hackers exfiltrating data from Nodex’s systems and leaving behind empty equipment without backups.”8

B. Ukraine – or Ukrainian allies are suspected in a cyber attack on Slovakia’s information system of the Office of Geodesy, Cartography and Cadastre of the Slovak Republic (UGKK). The system is used to record and manage information about land and property. “a seven-digit dollar ransom has been demanded to restore the systems and access to the encrypted data. … State Secretary of the Ministry of Investments, Regional Development and Informatization, Ivan Ivančin, said during the press conference that all data is backed up and there is no risk of changes and fraudulent transcriptions of ownership data. The UGKK said it will continue to provide updates on its website. Physical offices are set to return in a limited capacity on January 13.”9

C. At a 10th January press conference, a politician said: “There is suspicion that the attack originated in Ukraine. … a similar incident targeted Russia on January 8 and 9.”10 Analysts Comment: The cyber attack followed Slovakia’s Prime Minister Robert Fico apparently making a deal with Russia to supply gas to Slovakia. We assess the probability of Ukraine (or an ally) launching the attack as very likely.

D. On 14th January, ‘Roseltorg’, Russia’s main electronic trading platform for government and corporate procurement, confirmed it had been targeted by a cyberattack. “Roseltorg is one of the largest electronic trading operators selected by the Russian government to conduct public procurement, including contracts in the defense and construction industries. The platform also offers tools for electronic document management and procurement planning. … Roseltorg disclosed that it had been targeted by ‘an external attempt to destroy data and the entire infrastructure of electronic trading.’ ”

E. A previously unknown pro-Ukraine hacker group, ‘Yellow Drift’, claimed credit for the attack stating “they had deleted 550 terabytes of data, including emails and backups.”11 Analysts Comment: This is almost certainly part of a coordinated cyber campaign by Ukraine against Russian industries. It is one of four similar attacks that destroyed the data and networks of the targeted companies. On 21st January, ‘Rostelecom’, a major Russian telecommunications provider was hit.12 Data was stolen however it is unclear how much network damage was done.

People’s Republic of China

5. In 2024, the U.S. Congress directed the Committee on Foreign Investment in the US (CFIUS), part of the Treasury Department, to investigate real-estate purchases near U.S. military bases, where military activities could be observed. In December 2024, hackers from the PRC13 “compromised a “third-party service provider” … then remotely accessed several U.S. Department of Treasury user workstations.” The hackers “stole documents from officials investigating real-estate sales near American military bases”14.

6. On the 14th of January, the U.S. FBI announced “it removed Chinese malware from 4,258 US-based computers and networks by sending commands that forced the malware to use its “self-delete” function. … The People’s Republic of China (PRC) government paid the Mustang Panda group to develop a version of PlugX malware used to infect, control, and steal information from victim computers. … Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting US victims, as well as European and Asian governments and businesses, and Chinese dissident groups.”15 The FBI was able to hack into Mustang Panda’s command and control system and activate a command to delete the malware.

President Trump Pardon’s ‘Silk Road’ Creator

7. Ross Ulbricht, alias ‘Dread Pirate Roberts’, acknowledged that he was the creator of an online black market where “drug dealers, money launderers, and traffickers used bitcoins to mask more than $214 million in illicit trades.”16 At sentencing US District Judge Katherine Forrest noted that Ulbricht had to “pay the consequences” for Silk Road’s “unprecedented” use of cryptocurrency to cover up illicit trade. Ten years into a life sentence, Ulbricht has been pardoned for reasons known only to the President.