Synopsis

1. Ukraine once again jams part of Russia’s internet. NoName057(16) extends its DDoS attacks to the Netherlands. NoName targets the Romanian presidential elections, then shifts to the UK. North Korea’s cyber team tracks developments in Ukraine. The PRC follows Russia’s example of mass identity theft. PRC also targets the drone supply chain. Why ransomware payments don’t work, and how one business was forced to close due to a ransomware attack.

2. It is our assessment that the three major cyber conflicts—Russia vs Ukraine, Iran vs Israel, and the People’s Republic of China—are the most likely sources for the creation of next-generation malware and/or primary sources of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer ‘supporters’.

Russia vs Ukraine

3. Ukraine Takes Down Siberian Internet. Microsoft reported that, according to Ukrainian sources, from April 30th to May 2nd, Russian telecom operator Sibirskie Seti was attacked with a DDoS campaign. The company provides IP telephony and digital television services to 39 cities across Siberia. In this attack, “servers of four company branches in Siberia, located in Novosibirsk, Novokuznetsk, Kemerovo, and Krasnoyarsk, were overloaded and taken offline.” Ukraine’s Defense Intelligence Directorate (HUR) targeted major Russian internet providers ahead of Russia’s May holiday celebrations. Multiple sources reported that Russian media were flooded with complaints about internet outages.

4. NoName057(16) Continues to Attack the Netherlands. In Cyber Intelligence Report Volume 5, Edition 9, we reported that NoName057(16) attacked provincial and municipal websites in the Netherlands. The attacks continued until at least May 3rd. A six-day campaign targeting more than 50 websites makes it the largest DDoS attack in the Netherlands in two years. The attacks expanded to the cities of Apeldoorn, Nijmegen, Breda, and Tilburg. By mid-week, over 50 additional websites had been targeted. These included sites related to transport companies such as GVB (serving the Amsterdam area) and Arriva (operating mainly in northern and eastern Netherlands), as well as the newspaper NRC, which also experienced downtime.

5. Analyst Comment: Typically, NoName057(16) conducts DDoS attacks for one or two days. A three-day campaign is considered extended. These attacks are usually ‘nuisance’ attacks—disruptive, but causing limited long-term damage.

6. NoName057(16) DDoS Attacks Romanian Presidential Election. On May 4th, NoName launched a DDoS attack on the Romanian presidential election. They targeted “the website of the Romanian Constitutional Court, the main government portal, the Romanian Foreign Ministry site, and the websites of four presidential candidates. The candidates included Crin Antonescu, backed by Romania’s governing parties, and Bucharest Mayor Nicușor Dan, running as an independent,” according to the Romanian National Cybersecurity Directorate. “All websites listed by the hacker group were operational as of 2 p.m. local time.” Romanians are voting in the first round of a presidential election re-do. The country’s top court cancelled the initial round last year due to allegations of illegal campaigning by the winner, ultranationalist Călin Georgescu, and potential Russian influence. One reason for the re-do was over 85,000 cyberattacks during the previous election. This most recent DDoS appeared to be a one-day attack.

7. NoName057(16) Shifts to UK Targets. Last October, several UK council websites were disabled. On May 8th, NoName shifted again, targeting councils and other UK organizations. This time, NoName appeared to be less successful—although they claimed otherwise. “Councils in Blackburn with Darwen and Exeter reported no disruptions. Arun District Council acknowledged experiencing website issues, with services disrupted for a few hours. National Highways also reported a DDoS attack but said their site was soon operational. Other allegedly targeted organizations, including the Association for Police and Crime Commissioners, Harwich International Port, and Cardiff City Council, did not immediately comment.”

8. North Korea Cyber Team Tracks Ukraine Conflict. North Korea-linked threat actor ‘Konni APT’ has been attributed to a phishing campaign targeting Ukrainian government entities. “Enterprise security firm Proofpoint said the end goal is to collect intelligence on the trajectory of the Russian invasion. Unlike Russian groups likely tasked with gathering tactical battlefield information, Konni APT focuses on strategic, political intelligence. Historically, the group has targeted South Korea, the U.S., and Russia.” Proofpoint concluded that “Konni APT is very likely gathering intelligence to help North Korean leadership assess risks to its forces in the theatre, and whether Russia might request additional troops or arms.”

People’s Republic of China

9. PRC Imitates Russia’s Cyber Infrastructure. U.S.-based Resecurity has identified a group of Chinese cybercriminals conducting large-scale ‘smishing’ (SMS phishing and identity theft) operations. “One identified threat actor can send up to 2,000,000 smishing messages daily,” meaning that “Smishing Triad and similar groups could target up to 60 million victims per month, or 720 million per year—enough to target every person in the U.S. at least twice annually.” These groups use a “Crime-as-a-Service” model, enabling other cybercriminals to scale operations internationally. Resecurity also identified a new smishing toolkit called ‘Panda Shop’.

10. Analyst Comments: The PRC appears to be mimicking Russia’s cyber strategy.

A. Russia uses specialist contractors to provide tools and research to both government hackers and affiliated cybercriminals. Similarly, the PRC employs civilian cybersecurity firms, which hire individuals involved in espionage and cybercrime. Groups like ‘Salt Typhoon’ and ‘Volt Typhoon’ operate this way.

B. ‘Smishing Triad’ and ‘Panda Shop’ provide the PRC with stolen identities and credentials. We assess that the PRC, like Russia, purchases and shares these credentials among state and criminal actors. This enables hackers to log into systems using real credentials—no need for technical breaches. Once inside, attackers use built-in system tools to explore vulnerabilities and deploy malware at their discretion.

11. PRC Hackers Target Drone Supply Chain in Taiwan and South Korea. Cybersecurity firm Trend Micro has identified PRC APT group ‘Earth Ammit’ targeting organizations across sectors to compromise trusted supply chains. “Earth Ammit infiltrated the upstream drone supply chain, compromising vendors and positioning itself to target downstream customers.” The group also modified legitimate software and used stolen credentials to deliver malware to targets.

Why Ransom Payments Don’t Work

12. PowerSchool Hack … Round Two. In January, PowerSchool disclosed a breach from late 2024. “Cybercriminals accessed the Student Information System (SIS) via a compromised account that lacked multi-factor authentication.” The U.S.-Canadian educational software provider paid the ransom and claimed the issue was resolved. However, the hackers are now extorting individual school districts, including Toronto and Calgary. The SIS contains “sensitive data such as names, addresses, Social Security numbers, and disciplinary records.”

13. “The FBI has long advised against paying ransoms,” as doing so emboldens attackers and doesn’t guarantee data recovery. PowerSchool admitted it believed paying would prevent data exposure. “As is always the case, there was a risk that the attackers wouldn’t delete the data, despite assurances and evidence,” the company said. Analyst Comment: This tactic—called ‘double extortion’—is increasingly common. Even when ransoms are paid, attackers may still extort individuals or families—‘triple extortion’.

14. Hack Leads to Business Closure. Paul Abbott, director of the 160-year-old UK haulage firm Knights of Old, announced the company is closing due to a cyberattack. “We believed we had strong security measures in place,” Abbott said. A ransom note was found embedded in the IT systems. Despite manual workarounds, the attack compromised key data, preventing compliance with lender deadlines. The company, which employed 730 people in 2023, entered administration. Analyst Comment: Cybersecurity must be recognized as a critical business requirement. Unfortunately, many still fail to grasp the true impact of cyberattacks—until it’s too late.