Cyber Attack by Pro-Russian Group in Norway

Written by Mike Boutwell

August 9, 2022

It has been confirmed by Norway’s National Security Authority (NSM) that a significant distributed denial of service (DDoS) attack carried out by a pro-Russian group was responsible for taking down some of the most vital websites and internet services in the country.

Although NSM did not provide a direct attribution for the attacks, the Pro-Russian Legion/Cyber Spetsnaz group released a list of Norwegian organizations they intended to attack their Telegram channel.

Recently, similar attacks were directed at the governments of Lithuania, Italy (private and public organizations), and Romania (private and public websites) for their support of Ukraine.

Now, Norwegian authorities have verified that the attacks have targeted significant enterprises that provide critical services to the populace.

In addition, the Norwegian National Security Authority provided directives to local organizations for the prevention of distributed denial of service attacks (DDoS).

Beginning on May 24, a group that calls themselves “Cyber Spetsnaz” announced the launch of a new campaign called “Panopticon.” This campaign aimed to recruit 3,000 volunteer cyber offensive specialists willing to participate in attacks against the European Union and the Ukrainian government institutions, including Ukrainian companies.

Around the month of April, “Cyber Spetsnaz” established one of its first divisions, which they called “Zarya.” At the time, they were looking for experienced hackers, penetration testers, and OSINT professionals.

Approximately during this time period, the group carried out one of its first concerted assaults against NATO. Prior to that, members of the “Cyber Spetsnaz” were responsible for the distribution of domains that were assigned to the NATO infrastructure. The participant distributed an exhaustive Excel file in addition to a list of NATO resources.

The organization established a new division on June 2 that they have dubbed “Sparta.” “Cyber sabotage,” interruption of Internet resources, data theft, and financial intelligence centered on NATO, its members, and their allies are some of the responsibilities of the new section. Notably, “Sparta” highlights this work as a critical priority today and certifies that the newly constituted division is an official part of the “Killnet Collective.”

According to the description, the actors self-identify as “hacktivists,” However, it is not yet known whether the group has any ties to state actors. According to the sources that Security Affairs questioned, this activity was interpreted with a very high level of trust to be backed by the state.

In addition to only available tools, they are using scripts such as MHDDoS, Blood, Karma DDoS, Hasoki, DDoS Ripper, and GoldenEye to generate malicious traffic on Layer 7, which could have an effect on the availability of web resources.

The organization carried out cyberattacks against five different logistic terminals in Italy (Sech, Trieste, TDT, Yilprort, and VTP), in addition to a number of large financial institutions. The operations of “Phoenix” were coordinated with those of another section known as “Rayd,” which had previously attacked other government resources in Poland, such as the Ministry of Foreign Affairs, the Senate, Border Control, and the Police. Other divisions that were involved in the DDoS attacks were “Vera,” “FasoninnGung,” “Mirai,” “Jacky,” and “DDOS Gung,” all of which have previously attacked several web resources in Germany. “Sakurajima” was another division that was involved.

According to the victims observed and the close collaboration that took place with various organizations who were adversely affected, the attacks largely concentrated on exploiting WEB servers that were inadequately configured and causing short-term disruptions. Because the complete network attack pool of unique sources may be depleted in a very short amount of time, it is possible that the issue may be proactively resolved by properly hardening and implementing WAF, in addition to DDoS protection. The sources of assaults that were logged demonstrated how the attackers are making active use of faked IP addresses and the deployment of tools on infiltrated IoT devices and hacked web pages.

Second, Norway assisted Ukraine in its resistance against the ongoing Russian invasion by providing the country with multiple launch rocket systems (MLRS) and 5,000 rounds of ammunition to use in those weapons.

You May Also Like…