Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored Sandworm group.
The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called Prestige and is said to have taken place within an hour of each other across all victims.
The Microsoft Threat Intelligence Centre (MSTIC) is now tracking the threat actor under its element-themed moniker Iridium (née DEV-0960), a Russia-based group that’s publicly tracked by the name Sandworm (aka Iron Viking, TeleBots, and Voodoo Bear).
“This attribution assessment is based on forensic artefacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity,” MSTIC said in an update.
The company also further assessed the group to have orchestrated compromise activity targeting many of the Prestige victims as far back as March 2022, before culminating in the deployment of the ransomware on October 11.
images from Hacker News