Kyiv • UNN - unn.ua | УНН
December 6 2025
On December 6, the HUR MOD Cyber Corps and BO Team attacked the Russian logistics company "Eltrans+". Over 700 computers and servers were deactivated, 165 terabytes of data were destroyed, and network equipment was disabled.
The GUR Cyber Corps attacked Russia's leading logistics company on the night of December 6 - more than 700 computers and servers were deactivated, 165 terabytes of critical data were destroyed or encrypted, UNN reports with reference to sources.
On the night of December 6, specialists from the Main Intelligence Directorate of the Ministry of Defense, together with the BO Team, launched a cyberattack on the information and communication infrastructure of the Eltrans + group of companies. As a result of the attack, more than 700 computers and servers were deactivated, more than a thousand company users were deleted, and 165 terabytes of critical data were destroyed or encrypted.
ccording to the UNN interlocutor, in addition, the access control system, video surveillance data storage and backup system were affected, network equipment along with the core of the data center was deactivated and disabled, declarations for all cargo were destroyed, and all company websites were "defaced", which now greet Russian users with the Day of the Armed Forces of Ukraine.
Let's add
"Eltrans+" is among the top 10 largest customs representatives and freight forwarders in Russia. More than 5,000 Russian small, medium and large businesses use the services of "Eltrans+".
The company carries out international and domestic transportation (road, sea, air, multimodal), warehouse storage, transportation of consolidated cargo, as well as full customs clearance of goods.
"Eltrans+" is engaged in the delivery of sanctioned goods, as well as various electronic components from China, which are used by the Russian military-industrial complex, the UNN interlocutor reported.
| United States Department of Justice
justice.gov
Updated December 10, 2025
Ukrainian National Indicted and Rewards Announced for Co-Conspirators Relating to Destructive Cyberattacks Worldwide
The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matter on Feb. 3, 2026 and in the CARR matter on April 7, 2026.
As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program.
“Today’s actions demonstrate the Department’s commitment to disrupting malicious Russian cyber activity — whether conducted directly by state actors or their criminal proxies — aimed at furthering Russia’s geopolitical interests,” said Assistant Attorney General for National Security John A. Eisenberg. “We remain steadfast in defending essential services, including food and water systems Americans rely on each day, and holding accountable those who seek to undermine them.”
“Politically motivated hacktivist groups, whether state-sponsored like CARR or state-sanctioned like NoName, pose a serious threat to our national security, particularly when foreign intelligence services use civilians to obfuscate their malicious cyber activity targeting American critical infrastructure as well as attacking proponents of NATO and U.S. interests abroad,” said First Assistant U.S. Attorney Bill Essayli for the Central District of California. “The charges announced today demonstrate our commitment to eradicating global threats to cybersecurity and pursuing malicious cyber actors working on behalf of adversarial foreign interests.”
“When pro-Russia hacktivist groups target our infrastructure, the FBI will use all available tools to expose their activity and hold them accountable,” said Assistant Director Brett Leatherman of the FBI Cyber Division. “Today’s announcement demonstrates the FBI’s commitment to disrupt Russian state-sponsored cyber threats, including reckless criminal groups supported by the GRU. The FBI doesn’t just track cyber adversaries – we work with global partners to bring them to justice.”
“The defendant’s illegal actions to tamper with the nation’s public water systems put communities and the nation’s drinking water resources at risk,” said EPA Acting Assistant Administrator Craig Pritzlaff. “These criminal charges serve as an unequivocal warning to malicious cyber actors in the U.S. and abroad: EPA’s Criminal Investigation Division and our law enforcement partners will not tolerate threats to our nation’s water infrastructure and will pursue justice against those who endanger the American public. EPA is unwavering in its commitment to clean, safe water for all Americans.”
Cyber Army of Russia Reborn
According to the indictment, CARR, also known as Z-Pentest, was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CARR claimed credit for hundreds of cyberattacks against victims worldwide, including attacks against critical infrastructure in the United States, in support of Russia’s geopolitical interests. CARR regularly posted on Telegram claiming credit for its attacks and published photos and videos depicting its attacks. CARR primarily hacked industrial control facilities and conducted DDoS attacks. CARR’s victims included public drinking water systems across several states in the U.S., resulting in damage to controls and the spilling of hundreds of thousands of gallons of drinking water. CARR also attacked a meat processing facility in Los Angeles in November 2024, spoiling thousands of pounds of meat and triggering an ammonia leak in the facility. CARR has attacked U.S. election infrastructure during U.S. elections, and websites for U.S. nuclear regulatory entities, among other sensitive targets.
An individual operating as “Cyber_1ce_Killer,” a moniker associated with at least one GRU officer instructed CARR leadership on what kinds of victims CARR should target, and his organization financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services. At times, CARR had more than 100 members, including juveniles, and more than 75,000 followers on Telegram.
The CARR indictment charges Dubranova with one count of conspiracy to damage protected computers and tamper with public water systems, one count of damaging protected computers, one count of access device fraud, and one count of aggravated identity theft. If convicted of these charges, Dubranova would face a statutory maximum penalty of 27 years in federal prison.
NoName057(16)
NoName was covert project whose membership included multiple employees of The Center for the Study and Network Monitoring of the Youth Environment (CISM), among other cyber actors. CISM was an information technology organization established by order of the President of Russia in October 2018 that purported to, among other things, monitor the safety of the internet for Russian youth.
According to the indictment, NoName claimed credit for hundreds of cyberattacks against victims worldwide in support of Russia’s geopolitical interests. NoName regularly posted on Telegram claiming credit for its attacks and published proof of victim websites being taken offline. The group primarily conducted DDoS cyberattacks using their own proprietary DDoS tool, DDoSia, which relied on network infrastructure around the world created by employees of CISM.
NoName’s victims included government agencies, financial institutions, and critical infrastructure, such as public railways and ports. NoName recruited volunteers from around the world to download DDoSia and used their computers to launch DDoS attacks on the victims that NoName leaders selected. NoName also published a daily leaderboard of volunteers who launched the most DDoS attacks on its Telegram channel and paid top-ranking volunteers in cryptocurrency for their attacks.
The NoName indictment charges Dubranova with one count of conspiracy to damage protected computers. If convicted of this charge, Dubranova would face a statutory maximum penalty of five years in federal prison.
Concurrent with today’s actions, the U.S. Department of State has offered potential rewards for up to $2 million for information on individuals associated with CARR and up to $10 million for information on individuals associated with NoName. Additionally, today the FBI, CISA, NSA, DOE, EPA, and DC3 issued a Joint Cybersecurity Advisory assessing that pro-Russia hacktivist groups, like CARR and NoName, target minimally secured, internet-facing virtual network computing connections to infiltrate (or gain access to) operational technology control devices within critical infrastructure systems to execute attacks against critical infrastructure, resulting in varying degrees of impact, including physical damage.
On July 19, 2024, U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, for their roles in cyber operations against U.S. critical infrastructure. These two individuals were the group’s leader and a primary hacker, respectively.
The FBI Los Angeles Field Office investigated the CARR and NoName cases as part of FBI’s Operation Red Circus, an ongoing operation to disrupt Russian state-sponsored cyberthreats to U.S. critical infrastructure and interests abroad.
Assistant U.S. Attorneys Angela Makabali and Alexander Gorin for the Central District of California and Trial Attorney Greg Nicosia of the National Security Division’s National Security Cyber Section are prosecuting these cases. Assistant U.S. Attorney James E. Dochterman for the Central District of California is handling the forfeiture cases. The Justice Department’s Office of International Affairs provided significant assistance for both investigations.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
themoscowtimes.com
Dec. 2, 2025
Hundreds of Porsche vehicles across Russia have been rendered undriveable after a failure in their factory-installed satellite security system, according to reports from owners and dealerships.
Drivers in Moscow, Krasnodar and other cities began reporting sudden engine shutdowns and fuel-delivery blockages last week, effectively immobilizing their vehicles.
Rolf, Russia’s largest dealership group, said service requests spiked on Friday as cars lost connection to their onboard alarm modules, which are linked via satellite.
The outage affects all Porsche models and engine types, and any vehicle could potentially lock itself automatically, a Rolf representative told the RBC news website.
“It’s possible this was done deliberately,” the representative was quoted as saying, though no evidence has emerged to support that claim.
Owners’ groups say the problem appears tied to the Vehicle Tracking System, or VTS, which is an onboard security module.
The Russian Porsche Macan Club said some drivers had restored function by disabling or rebooting the VTS, while others reported success after disconnecting their car batteries for up to 10 hours, according to the Telegram channel Mash.
Rolf said specialists were still investigating the root cause of the problem. Porsche’s office in Russia and its global headquarters in Germany have not yet commented on the system failure.
Porsche halted deliveries and suspended its commercial operations in Russia after the full-scale invasion of Ukraine in February 2022. However, the company still retains ownership of three subsidiaries in the country, which it has so far been unable to sell.
Gen Blogs | gendigital.com
Threat Research Team
November 19, 2025
State-sponsored hacking groups typically operate in isolation, each advancing its own nation’s goals. That’s why any sign of collaboration between them is cause for concern. Yet new evidence uncovered by Gen researchers suggests that two of the world’s most aggressive advanced persistent threat (APT) actors, Russia-aligned Gamaredon and North Korea’s Lazarus, may be operating on shared infrastructure.
This discovery hints at something much bigger than mere technical overlap. It points to a possible new stage in cyber conflict, where geopolitical alliances are mirrored in shared digital operations.
From allies on the battlefield to partners online
Russia and North Korea have maintained a long-standing partnership rooted in shared political and military interests. Moscow backed Pyongyang during and after the Korean War, and in 2024 both nations renewed that alliance through a Comprehensive Strategic Partnership that includes mutual defense commitments.
Since 2022, Pyongyang has stepped up its support for Moscow, formally recognizing Russian-claimed territories in Ukraine and reportedly supplying munitions and troops. In 2024, Reuters reported that North Korean soldiers had been deployed to fight alongside Russian forces in Ukraine, a striking example of the two countries’ deepening cooperation.
Now, we may be witnessing a digital extension of that alliance. On July 28, 2025, Gen’s internal monitoring systems detected a suspicious event linking Gamaredon and Lazarus activity through a shared IP address. The implications are significant: two state-backed actors from different countries may be coordinating at an operational level.
This development aligns with broader patterns highlighted in the Q3/2025 Threat Report, where state sponsored operations showed increasing sophistication, coordination, and diversification of infrastructure. While those observations were confined within national ecosystems, the Gamaredon–Lazarus overlap suggests that similar dynamics may now be emerging across national boundaries.
Background
Gamaredon
Gamaredon is a Russian-aligned APT active since at least 2013, primarily focused on cyber espionage. In 2021, the Security Service of Ukraine issued a press release, attributing several members of the group as part of Russia's Federal Security Service (FSB) 18th Information Security Center. Since its official inception, the group is believed to have conducted more than 5000 cyber-attacks, most of which targeted Ukrainian government agencies. However, with the onset of war in Ukraine, ESET reported that Gamaredon expanded its operations to include NATO member states, likely aiming to disrupt military aid to Ukraine, underscoring the group’s prioritization of hybrid warfare.
Lazarus
Lazarus is a state-sponsored threat actor active since 2009 and widely believed to operate under North Korea’s government. Initially focused on cyber espionage and destructive attacks, Lazarus later shifted toward financially motivated operations to fund future campaigns. In 2021, the United States Department of Justice indicted three members believed to be part of the Lazarus group, connecting them to North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence agency. With the rise of cryptocurrency, Lazarus increasingly targeted digital assets, as evidenced by high-profile breaches such as Stake.com ($41 million), AtomicWallet ($100 million), WazirX ($235 million), and Bybit ($1.4 billion).
Where Gamaredon spies, Lazarus steals, but both ultimately serve their governments’ strategic interests.
The discovery: a shared digital footprint
Just one day after the announcement of new direct flights between Moscow and Pyongyang, Gen identified indicators of a potential collaboration between the Gamaredon and Lazarus APTs. On July 24, 2025, our system tracking Gamaredon’s Command-and-Control (C2) servers via known Telegram and Telegraph channels blocked an IP address:
144[.]172[.]112[.]106
Four days later, during a routine check, the same server was found hosting an obfuscated version of InvisibleFerret (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d), a malware strain attributed to Lazarus. The payload matched Lazarus’ tooling and was delivered through an identical server structure (URL: http[://]144[.]172[.]112[.]106/payload/99/81) previously seen in ContagiousInterview, a Lazarus campaign that targeted job seekers with fake recruitment messages. While the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups’ activity and the shared hosting pattern indicate probable infrastructure reuse, with moderate confidence of operational collaboration. Whether Lazarus leveraged a Gamaredon-controlled server or both actors shared the same client instance remains unclear, but the overlap is too close to ignore.
Implications for the global threat landscape
Cross-country collaborations in the APT ecosystem remain exceptionally rare. The last widely acknowledged example dates back to 2014 with the Regin malware, reportedly co-developed by the U.S. National Security Agency (NSA) and the U.K.’s Government Communications Headquarters (GCHQ).
If confirmed, the Gamaredon–Lazarus overlap would represent the first known case of Russian–North Korean cyber collaboration in the wild.
Such a partnership could have wide-ranging implications:
Operational synergy: Lazarus’s expertise in monetizing cyberattacks through cryptocurrency theft could help Gamaredon fund or conceal future operations.
Strategic alignment: Russia, facing mounting economic and military pressure, could benefit from North Korea’s established infrastructure for covert financial operations.
Escalation potential: This kind of collaboration blurs the line between espionage, sabotage, and organized cybercrime, expanding both nations’ offensive reach.
Not an isolated case: national ecosystems are merging
While cross-border APT collaboration is rare, cooperation within national ecosystems has become increasingly common.
Lazarus x Kimsuky
Kimsuky is another North Korean APT group. It has been active since around 2012 and assessed by Mandiant to operate under the RGB. The group specializes in advanced cyber-espionage campaigns, primarily targeting government entities and consumer-facing organizations.
During analysis of Lazarus’ ContagiousInterview payloads, Gen researchers found that an IP address (216[.]219[.]87[.]41) later reappeared in Kimsuky-linked payloads (e.g., cce27340fd6f32d96c65b7b1034c65d5026d7d0b96c80bcf31e40ab4b8834bcd). This suggests infrastructure reuse or coordination between RGB units, evidence of alignment at North Korea’s national level.
DoNot x SideWinder
DoNot and SideWinder are state-sponsored APT groups believed to have been active since 2013 and 2012, respectively, both with ties to the Indian government and a primary focus on cyber espionage.
Gen identified a DoNot-attributed payload (8bb089d763d5d4b4f96ae59eb9d8f919e6a49611c183f636bfd5c01696447938) that later executed a known SideWinder loader (f4d10604980f8f556440460adc71883f04e24231d0a9a3a323a86651405bedfb). The victim was located in Pakistan, consistent with the typical targeting profile of both groups. This cooperation resembles the previously observed Gamaredon x Turla collaboration, indicating that intra-country partnerships are becoming a tactical norm.
A new phase in cyber geopolitics
The evidence of infrastructure overlap between Lazarus and Gamaredon represents a significant development in the global threat landscape. Historically, cross-country APT collaborations have been exceedingly rare, with only a handful of confirmed cases such as Stuxnet and Regin. This potential partnership signals a shift toward more complex and unpredictable alliances, where geopolitical interests may drive operational convergence.
While the Lazarus–Gamaredon case stands out for its strategic implications, the observed intranational collaborations, such as Lazarus with Kimsuky and DoNot with SideWinder, are equally important. These partnerships demonstrate a growing trend of resource sharing and tactical alignment within national ecosystems, amplifying the reach and resilience of state-sponsored campaigns.
For defenders, these findings underscore an urgent need to adapt detection strategies beyond single-actor attribution. Shared infrastructure, overlapping TTPs, and modular malware frameworks mean that traditional attribution models may fail to capture the full scope of risk. Security teams must:
Enhance infrastructure correlation analysis to detect cross-group overlaps early.
Prioritize intelligence sharing across organizations and sectors to identify emerging alliances.
Implement layered defenses capable of mitigating diverse tactics from multiple threat actors leveraging common resources.
The era of isolated APT operations is fading. As adversaries evolve through collaboration, defenders must respond with equal agility and cooperation to safeguard critical assets.
| TechCrunch
Zack Whittaker
5:09 AM PST · November 17, 2025
The defacement of Protei's website said "another DPI/SORM provider bites the dust," apparently referring to the company selling its web intercept and surveillance products to phone and internet providers.
A Russian telecom company that develops technology to allow phone and internet companies to conduct web surveillance and censorship was hacked, had its website defaced, and had data stolen from its servers, TechCrunch has learned.
Founded in Russia, Protei makes telecommunications systems for phone and internet providers across dozens of countries, including Bahrain, Italy, Kazakhstan, Mexico, Pakistan and much of central Africa. The company, now headquartered in Jordan, sells video conferencing technology and internet connectivity solutions, as well as surveillance equipment and web-filtering products, such as deep packet inspection systems.
It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8. The website was restored soon after.
During the breach, the hacker obtained the contents of Protei’s web server — around 182 gigabytes of files — including emails dating back years.
A copy of Protei’s data was provided to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, including data from law enforcement, government agencies, and companies involved in the surveillance industry.
Mohammad Jalal, the managing director of Protei’s branch in Jordan, did not respond to a request for comment about the breach.
The identity of the hacker is not known, nor their motivations, but the defaced website read: “another DPI/SORM provider bites the dust.” The message likely references the company’s sales of deep packet inspection systems and other internet filtering technology for the Russian-developed lawful intercept system known as SORM.
SORM is the main lawful intercept system used across Russia as well as several other countries that use Russian technology. Phone and internet providers install SORM equipment on their networks, which allows their country’s governments to obtain the contents of calls, text messages, and web browsing data of the networks’ customers.
Deep-packet inspection devices allow telecom companies to identify and filter web traffic depending on its source, such as a social media website or a specific messaging app, and selectively block access. These systems are used for surveillance and censorship in regions where freedom of speech and expression are limited.
The Citizen Lab reported in 2023 that Iranian telecoms giant Ariantel had consulted with Protei about technology for logging internet traffic and blocking access to certain websites. Documents seen and published by The Citizen Lab show that Protei touted its technology’s ability to restrict or block access to websites for specific people or entire swathes of the population.
| The European Correspondent
Dmitriy Beliaev
A Russian series released in October used AI to replace actor Maxim Vitorgan’s face – and removed his name from the credits. Vitorgan reported it himself on social media, while the streaming platform Kion offered no explanation.
It was the second time the actor had been digitally erased and replaced with AI – a punishment for his vocal opposition to the war in Ukraine. On the first day of the invasion in 2022, he posted a black square on Instagram with the caption “Shame” to his 700,000 followers. That led to his removal from another show in 2023.
Erasing “undesirable” actors, writers, and musicians has become routine in Russia, where censorship has tightened its grip on cultural life since the country’s full-scale invasion of Ukraine.
TV channels and streaming platforms now not only blur or replace actors with AI, but also cut entire scenes – scrubbing away unwanted dialogue, characters, or references that the state considers unwelcome.
In April 2025, a TV channel removed a map of Odesa and cut a reference to the 2006 deportation of Georgian citizens from Russia in a 2010 film (which also featured Vitorgan). In June, Russian streaming services removed a line mentioning Putin’s death from a 2024 Spanish thriller Rich Flu.
Censorship now extends far beyond politics, reshaping even harmless scenes: in early November, following a law banning so-called “LGBT propaganda”, a Russian online cinema cut a Fight Club (1999) scene showing men kissing.
It goes beyond films. Several broadcasters have been fined for airing music videos deemed “LGBT propaganda”. In January 2023, a court fined the TNT Music channel one million rubles (roughly €10,600) over a music video Hallucination by Regard and Years & Years.
A year later, another broadcaster, Tochka TV, was fined for airing a music video by pro-regime singer Nikolai Baskov for containing “LGBT propaganda” because of “the lyrical subject’s relationship with a male”. The video had aired on television without issue before. After the new laws came in, some Russian artists began deleting their old videos from YouTube and social media.
Publishers are also blacking out entire paragraphs in books. Even a biography of Italian director Pier Paolo Pasolini was censored, with about a fifth of the text removed because it described an openly gay filmmaker's personal life.
The invasion of Ukraine has triggered a kind of patriotic cultural revolution. Actors, directors, and musicians who publicly opposed the war have been effectively blacklisted – removed from the big screens, stripped of work, and, in many cases, pushed into exile. Some have been declared “foreign agents”, a status that severely restricts civil rights and professional opportunities.
Some songs by these “agents” are being removed from Russian streaming platforms, and performing them publicly can lead to fines or even arrest. For the most recent case – in October, several young street musicians in St Petersburg were arrested for singing songs by anti-war artists.
NewsGuard's Reality Check
newsguardrealitycheck.com
Nov 17, 2025
What happened: In an effort to discredit the Ukrainian Armed Forces and undermine their morale at a critical juncture of the Russia-Ukraine war, Kremlin propagandists are weaponizing OpenAI’s new Sora 2 text-to-video tool to create fake, viral videos showing Ukrainian soldiers surrendering in tears.
Context: In a recent report, NewsGuard found that OpenAI’s new video generator tool Sora 2, which creates 10-second videos based on the user’s written prompt, advanced provably false claims on topics in the news 80 percent of the time when prompted to do so, demonstrating how the new and powerful technology could be easily weaponized by foreign malign actors.
A closer look: Indeed, so far in November 2025, NewsGuard has identified seven AI-generated videos presented as footage from the front lines in Pokrovsk, a key eastern Ukrainian city that experts expect to soon fall to Russia.
The videos, which received millions of views on X, TikTok, Facebook, and Telegram, showed scenes of Ukrainian soldiers surrendering en masse and begging Russia for forgiveness.
Here’s one video supposedly showing Ukrainian soldiers surrendering:
And a video purporting to show Ukrainian soldiers begging for forgiveness:
Actually: There is no evidence of mass Ukrainian surrenders in or around Pokrovsk.
The videos contain multiple inconsistencies, including gear and uniforms that do not match those used by the Ukrainian Armed Forces, unnatural faces, and mispronunciations of the names of Ukrainian cities. NewsGuard tested the videos with AI detector Hive, which found with 100 percent certainty that all seven were created with Sora 2. The videos either had the small Sora watermark or a blurry patch in the location where the watermark had been removed. Users shared both types as if they were authentic.
The AI-generated videos were shared by anonymous accounts that NewsGuard has found to regularly spread pro-Kremlin propaganda.
Ukraine’s Center for Countering Disinformation said in a Telegram post that the accounts “show signs of a coordinated network specifically created to promote Kremlin narratives among foreign audiences.”
In response to NewsGuard’s Nov. 12, 2025, emailed request for comment on the videos, OpenAI spokesperson Oscar Haines said “we’ll investigate” and asked for an extension to Nov. 13, 2025, to provide comment, which NewsGuard provided. However, Haines did not respond to follow-up inquiries.
This is not the first time Kremlin propagandists have weaponized OpenAI’s tools for propaganda. In April 2025, NewsGuard found that pro-Kremlin sources used OpenAI’s image generator to create images of action figure dolls depicting Ukrainian President Volodymyr Zelensky as a drug addict and corrupt warmonger.
akamai.com
Nov 06, 2025
Akamai is aware of content and connectivity filtering within Russia. Although we have not yet seen wholesale blocking of our platform for users, Russian network operator actions and actions by the Russian government may impact delivery to some users within some networks.
Such blocks often happen without any advance notice and are beyond our control. This is a highly dynamic situation as the nature and targets of filtering and blocking are changing without notice or visibility.
The Akamai network can automatically adapt to some of these impacts. However, it is impossible for us to respond to all Russian government actions (including IP-based blocks, SNI-based blocks, traffic throttling, total network shutdowns, and potential others).
Because of the constantly evolving situation — including active hostilities — ongoing delivery of traffic to users in Russia is provided, unfortunately, on a best-effort basis.
| The Record from Recorded Future News
Daryna Antoniuk
October 31st, 2025
Russia's Interior Ministry posted a video of raids on suspected developers of the Meduza Stealer malware, which has been sold to cybercriminals since 2023.
Russian police said they detained three hackers suspected of developing and selling the Meduza Stealer malware in a rare crackdown on domestic cybercrime.
The suspects were arrested in Moscow and the surrounding region, Russia’s Interior Ministry spokesperson Irina Volk said in a statement on Thursday.
The three “young IT specialists” are suspected of developing, using and selling malicious software designed to steal login credentials, cryptocurrency wallet data and other sensitive information, she added.
Police said they seized computer equipment, phones, and bank cards during raids on the suspects’ homes. A video released by the Interior Ministry shows officers breaking down doors and storming into apartments. When asked by police why he had been detained, one suspect replied in Russian, “I don’t really understand.”
Officials said the suspects began distributing Meduza Stealer through hacker forums roughly two years ago. In one incident earlier this year, the group allegedly used the malware to steal data from an organization in Russia’s Astrakhan region.
Authorities said the group also created another type of malware designed to disable antivirus protection and build botnets for large-scale cyberattacks. The malicious program was not identified. The three face up to four years in prison if convicted.
Meduza Stealer first appeared in 2023, sold on Russian-language hacking forums and Telegram channels as a service for a fee. It has since been used in cyberattacks targeting both personal and financial data.
Ukrainian officials have previously linked the malware to attacks on domestic military and government entities. In one campaign last October, threat actors used a fake Telegram “technical support” bot to distribute the malware to users of Ukraine’s government mobilization app.
Researchers have also observed Meduza Stealer infections in Poland and inside Russia itself — including one 2023 campaign that used phishing emails impersonating an industrial automation company.
Russia’s law enforcement agencies rarely pursue cybercriminals operating inside the country. But researchers say that has begun to change.
According to a recent report by Recorded Future’s Insikt Group, Moscow’s stance has shifted “from passive tolerance to active management” of the hacking ecosystem — a strategy that includes selective arrests and public crackdowns intended to reinforce state authority while preserving useful talent.
Such moves mark a notable shift in a country long seen as a safe haven for financially motivated hackers. Researchers say many of these actors are now decentralizing their operations to evade both Western and domestic surveillance.
The Record is an editorially independent unit of Recorded Future.
theins.ru
The Insider
2 October 2025 23:03
The hacker collective Black Mirror has released the first portion of an archive of documents from the Russian state defense corporation Rostec. The tranche contains more than 300 items. The materials detail Russia’s military and technical cooperation with foreign clients, pricing for military items, and logistics schemes aimed at evading sanctions. The published documents also include internal correspondence, presentations on overseas helicopter service centers, and agreements with international partners.
The files show that Russian companies have faced difficulties receiving payments for contracts with Algeria, Egypt, China, and India. Russian banks have been unable to issue guarantees or conduct transactions through the SWIFT system, forcing them to search for alternative settlement schemes in yuan, rubles, and euros.
The archive also contains information about an international network of service centers for Russian helicopter equipment. The documents describe existing and planned maintenance facilities in the UAE, Afghanistan, Vietnam, Bulgaria, Kazakhstan, and other countries. Particular attention is paid to the creation of an international regional logistics hub in Dubai, near Al Maktoum Airport, designed as a central node for supplying spare parts and components.
Among the materials is a letter from the Rostec holding company Concern Radio-Electronic Technologies (CRET) on pricing for military products in export contracts. The document proposes a simplified formula for setting wholesale prices, profit margins, transport expenses, and currency risks. It also discusses possible legal changes to allow more flexible use of revenues from military-technical cooperation.
The hackers said this is only the first portion of the Rostec archive, which they are releasing in what they called “fuck off exposure” mode. Black Mirror claims the documents include a list of “reliable trading partners” in several countries. These are said to have been approved by Russia’s Defense Ministry, the FSB, and the Foreign Intelligence Service (SVR) with the aim of reducing the risk of aviation and technical equipment being redirected to Ukraine through third countries.
In August, Telegram blocked Black Mirror’s channel. Attempts to access it displayed a notice that cited doxxing, defamation, and extortion as the reasons behind the ban. The Insider is not aware of the channel extorting money from anyone.
bbc.com/ Jacqueline Howard
The pair were allegedly recruited by pro-Russian hackers and used a "wi-fi sniffer" on the Europol headquarters.
Two 17-year-old boys have been arrested on suspicion of "state interference" in the Netherlands, prosecutors say, in a case with reported links to Russian spying.
The pair were allegedly contacted by pro-Russian hackers on the messaging app Telegram, Dutch media reported.
One of the boys allegedly walked past the offices of Europol, Eurojust and the Canadian embassy in The Hague carrying a "wi-fi sniffer" - a device designed to identify and intercept wi-fi networks.
The teenagers appeared before a judge on Thursday, who ordered one boy be remanded in custody and the other placed on strict home bail conditions until a hearing, which is due to take place in the next two weeks.
The National Office of the Netherlands Public Prosecution Service confirmed court appearance, but told the BBC it could not provide details on the case due to the suspects' age and in "the interest of the investigation", which is ongoing.
One of the boy's father told Dutch newspaper De Telegraaf that police had arrested his son on Monday afternoon while he was doing his homework.
He said police told him that the arrest related to espionage and rendering services to a foreign country, the paper reports.
The teenager was described as being computer savvy and having a fascination for hacking, while holding a part-time job at a supermarket.
The Netherlands' domestic intelligence and security agency declined to comment on the case when approached by the BBC.
PUBLISHED ON 18 SEP 2025
recordedfuture.com
Insikt Group®
Executive Summary
Since March 2025, Insikt Group has observed CopyCop (also known as Storm-1516), a Russian covert influence network, creating at least 200 new fictional media websites targeting the United States (US), France, and Canada, in addition to websites impersonating media brands and political parties and movements in France, Canada, and Armenia. CopyCop has also established a regionalized network of websites posing as a fictional fact-checking organization publishing content in Turkish, Ukrainian, and Swahili, languages never featured by the network before. Including the 94 websites targeting Germany reported by Insikt Group in February 2025, this amounts to over 300 websites established by CopyCop’s operators in the year to date, marking a significant expansion from our initial reporting on the network in 2024, and with many yet to be publicly documented.
These websites are very likely operated by John Mark Dougan with support from the Moscow-based Center for Geopolitical Expertise (CGE) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CopyCop uses these websites as infrastructure to disseminate influence content targeting pro-Western leadership and publish artificial intelligence (AI)-generated content with pro-Russian and anti-Ukrainian themes in support of Russia’s offensive operations in the global information environment.
While the network’s scope in terms of target languages and countries has expanded, its primary objectives almost certainly remain unchanged: undermining support for Ukraine and exacerbating political fragmentation in Western countries backing Ukraine. Insikt Group has also observed CopyCop engaging in additional secondary objectives like advancing Russia’s geopolitical objectives in its broader sphere of influence, such as Armenia and Moldova. CopyCop’s narratives and content in support of these objectives are routinely amplified by an ecosystem of social media influencers in addition to other Russian influence networks like Portal Kombat and InfoDefense.
Similar to its objectives, CopyCop’s tactics, techniques, and procedures (TTPs) remain broadly unchanged, with marginal improvements designed to strengthen the network’s reach, resilience, and credibility. Tactics and techniques used for content dissemination typically include deepfakes, lengthy dossiers intending to embarrass targets, and fake interviews of alleged whistleblowers making claims about political leaders in NATO member states like the US, France, and Germany. Insikt Group also identified new evidence that CopyCop uses self-hosted, uncensored large language models (LLMs) based on Meta’s Llama 3 open-source models to generate AI content rather than relying on Western AI service providers.
Relative to other Russian influence networks, CopyCop’s impact remains significant: targeted influence content promoted by its websites and an ecosystem of pro-Russian social media influencers and so-called “journalists” regularly obtains high rates of organic engagement across multiple social media platforms, and has a precedent for breaking into mainstream political discourse. Persistently identifying and publicly exposing these networks should remain a priority for governments, journalists, and researchers seeking to defend democratic institutions from Russian influence.
Key Findings
To date, in 2025, CopyCop has widened its target languages to include Turkish, Ukrainian, and Swahili, and its geographic scope to include Moldova, Canada, and Armenia while sustaining influence operations targeting the US and France. The network is also leveraging new infrastructure to publish content, marking a significant expansion of its activities targeting new audiences.
CopyCop’s core influence objectives remain eroding public support for Ukraine and undermining democratic processes and political leaders in Western countries supporting Ukraine.
CopyCop’s TTPs are broadly unchanged from previous assessments, with only marginal improvements to increase the network’s reach, resilience, and credibility. Newly observed TTPs include evidence of CopyCop using self-hosted LLMs for content generation, employing subdomains as mirrors, and impersonating media outlets.
Insikt Group has identified two uncensored versions of Meta’s Llama-3-8b model that are likely being used by CopyCop to generate articles.
The network is also increasingly conducting influence operations within Russia’s sphere of influence, including targeting Moldova and Armenia ahead of their parliamentary elections in 2025 and 2026, respectively. This is a broader trend observed across the Russian influence ecosystem.
Background
Insikt Group previously documented CopyCop in May and June 2024, in addition to the network’s attempts at influencing the 2024 French snap elections, 2024 US presidential elections, and 2025 German federal elections. Reporting from other organizations such as Clemson University, VIGINUM, NewsGuard, Microsoft, European External Action Service, and Gnida Project has broadly corroborated our initial assessments of the network’s objectives, targets, and infrastructure, in addition to our attribution of part of the network’s activities to John Mark Dougan, a US citizen based in Moscow. The Washington Post and the US Department of the Treasury have also since established links between Dougan, the CGE, and the GRU. The GRU reportedly helped fund self-hosted LLM infrastructure, while the CGE was likely responsible, with Dougan’s assistance and direction from the GRU, for the creation of deepfakes and inauthentic content targeting political leaders in the US, Ukraine, France, and other countries.
Si chiama MAX, è un'alternativa a WhatsApp e Telegram voluta dal governo, e tutela pochissimo la privacy dei suoi utenti
Dall’inizio di settembre per ordine del governo russo tutti i cellulari, i tablet e le smart tv venduti in Russia hanno una nuova applicazione già installata che serve a chiamare e chattare gratuitamente: si chiama MAX ed è stata sviluppata su ordine del presidente Vladimir Putin. MAX è pensata per essere un’alternativa ad applicazioni simili e che in Russia sono più popolari, come WhatsApp e Telegram. Rispetto a queste però ha regole sulla protezione dei dati personali molto meno rigide: secondo diversi esperti e dissidenti è molto probabile che il governo voglia usarla per controllare le conversazioni private dei cittadini.
MAX dice chiaramente nelle condizioni di utilizzo che si riserva il diritto di trasferire i dati degli utenti «a qualsiasi autorità statale o ente di autogoverno locale» che ne faccia richiesta. È una differenza importante rispetto a WhatsApp e Telegram, che in passato hanno rifiutato di condividere con le autorità russe dati sugli utenti o sulle loro conversazioni.
WhatsApp e Telegram, finora, sono state di gran lunga le applicazioni di messaggistica più utilizzate in Russia (WhatsApp viene usata da più di 100 milioni di russi, su una popolazione di 143, Telegram da circa 90 milioni). Proprio per il loro rifiuto di collaborare con il governo, però, hanno subito ritorsioni: da metà agosto Roskomnadzor (cioè l’agenzia governativa responsabile delle telecomunicazioni) ha reso impossibile utilizzarle per effettuare chiamate. Roskomnadzor ha giustificato la decisione sostenendo che vengono usate per compiere azioni criminali come truffe, atti di sabotaggio e attività terroristiche.
MAX è stata progettata seguendo un decreto di Putin dello scorso giugno. È stata sviluppata da VK, importante azienda digitale russa che gestisce il popolarissimo social network russo Vkontakte. VK è di proprietà di un uomo d’affari che ha legami stretti con Putin, Yuri Kovalchuk, ed è considerata molto vicina al governo russo.
Al momento MAX è disponibile solo per chi possiede un numero di cellulare russo o bielorusso: le regole per ottenerli sono generalmente molto restrittive, ed è impossibile farlo senza un documento personale. Il fatto che il governo stia insistendo così tanto su una propria applicazione di messaggistica, ostacolando WhatsApp e Telegram, fa anche sì che per chi si trova in Russia sia diventato più difficile comunicare con i moltissimi russi che si oppongono a Putin e che hanno lasciato il paese.
Il governo sta cercando di incoraggiare l’utilizzo dell’applicazione imponendone l’uso in diversi ambiti, per esempio le scuole devono usarla per comunicare con i genitori. L’app viene promossa facendo leva sul nazionalismo russo ed è presentata come un’alternativa “patriottica” alle applicazioni straniere. Questa promozione viene fatta con spot e interventi pubblicitari a volte anche un po’ goffi: un musicista filoputiniano, Egor Krid, ha inserito un piccolo messaggio a sostegno di MAX all’inizio di un video musicale, in cui fa apprezzamenti sull’applicazione, dicendo che funziona «anche in mezzo al mare».
Gli sforzi del governo stanno portando a qualche risultato: secondo dati dell’azienda anche se MAX per ora è meno usata di Telegram e WhatsApp, al momento circa 30 milioni di russi la utilizzano, e stanno aumentando.
In futuro il governo vorrebbe rendere l’applicazione ancora più attraente, per esempio permettendo di usarla per accedere a servizi pubblici e fare pagamenti (anche se questo non è ancora possibile). Molti esperti hanno notato come i piani per MAX assomiglino, in sostanza, all’applicazione WeChat, che in Cina viene usata un po’ per tutto e che è uno strumento di censura e repressione da parte del governo cinese.
Da quando è iniziata l’invasione dell’Ucraina nel febbraio 2022 le autorità russe hanno aumentato la repressione nei confronti dei dissidenti. Hanno anche preso diverse decisioni per aumentare il proprio controllo su internet e, in generale, per realizzare quella che il governo chiama la «sovranità digitale», riducendo la dipendenza dalle aziende tecnologiche occidentali e cercando di rimpiazzarle con proprie versioni.
Per esempio hanno bandito Instagram e Facebook, sostenendo che diffondessero informazioni estremiste. Hanno anche realizzato una propria versione di Wikipedia, Ruviki, che interpreta fatti e informazioni rispettando le indicazioni del governo.
A luglio il parlamento russo ha anche approvato una legge che punisce con una multa le persone che cercano «contenuti estremisti» online, cioè qualunque contenuto non approvato dal governo. La lista dei contenuti considerati illegali, che è stata approvata dal ministero della Giustizia, è lunga più di 500 pagine: contiene, tra le altre cose, riferimenti alle attività del dissidente Alexei Navalny, canzoni ucraine, informazioni sulla comunità LGBT+ e sulle piattaforme gestite da Meta.
Moltissimi siti sono stati oscurati e sono disponibili soltanto utilizzando una VPN (Virtual Private Network, ovvero “rete virtuale privata”), un software che serve a creare un canale sicuro per la trasmissione di dati su Internet. Alcuni servizi, come successo con WhatsApp e Telegram, sono stati resi di proposito più lenti e difficili da usare, in modo da spingere più persone a usare siti e servizi messi a disposizione dal governo, che sono però soggetti alla censura e molto meno sicuri, secondo un rapporto di Human Rights Watch. Oltre a tutto questo, le autorità russe hanno anche semplicemente iniziato a bloccare l’accesso a internet sempre più di frequente negli ultimi mesi, impedendo ai residenti di alcune zone di utilizzarlo anche per periodi di diversi giorni.
aws.amazon.com by CJ Moses on 29 AUG 2025
Amazon’s threat intelligence team has identified and disrupted a watering hole campaign conducted by APT29 (also known as Midnight Blizzard), a threat actor associated with Russia’s Foreign Intelligence Service (SVR). Our investigation uncovered an opportunistic watering hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts.
The evolving tactics of APT29
This campaign follows a pattern of activity we’ve previously observed from APT29. In October 2024, Amazon disrupted APT29’s attempt to use domains impersonating AWS to phish users with Remote Desktop Protocol files pointed to actor-controlled resources. Also, in June 2025, Google’s Threat Intelligence Group reported on APT29’s phishing campaigns targeting academics and critics of Russia using application-specific passwords (ASPs). The current campaign shows their continued focus on credential harvesting and intelligence collection, with refinements to their technical approach, and demonstrates an evolution in APT29’s tradecraft through their ability to:
Compromise legitimate websites and initially inject obfuscated JavaScript
Rapidly adapt infrastructure when faced with disruption
On new infrastructure, adjust from use of JavaScript redirects to server-side redirects
Technical details
Amazon identified the activity through an analytic it created for APT29 infrastructure, which led to the discovery of the actor-controlled domain names. Through further investigation, Amazon identified the actor compromised various legitimate websites and injected JavaScript that redirected approximately 10% of visitors to these actor-controlled domains. These domains, including findcloudflare[.]com, mimicked Cloudflare verification pages to appear legitimate. The campaign’s ultimate target was Microsoft’s device code authentication flow. There was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure.
Analysis of the code revealed evasion techniques, including:
Using randomization to only redirect a small percentage of visitors
Employing base64 encoding to hide malicious code
Setting cookies to prevent repeated redirects of the same visitor
Pivoting to new infrastructure when blocked
Image of compromised page, with domain name removed.
Image of compromised page, with domain name removed.
Amazon’s disruption efforts
Amazon remains committed to protecting the security of the internet by actively hunting for and disrupting sophisticated threat actors. We will continue working with industry partners and the security community to share intelligence and mitigate threats. Upon discovering this campaign, Amazon worked quickly to isolate affected EC2 instances, partner with Cloudflare and other providers to disrupt the actor’s domains, and share relevant information with Microsoft.
Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, our team continued tracking and disrupting their operations. After our intervention, we observed the actor register additional domains such as cloudflare[.]redirectpartners[.]com, which again attempted to lure victims into Microsoft device code authentication workflows.
Protecting users and organizations
We recommend organizations implement the following protective measures:
For end users:
Be vigilant for suspicious redirect chains, particularly those masquerading as security verification pages.
Always verify the authenticity of device authorization requests before approving them.
Enable multi-factor authentication (MFA) on all accounts, similar to how AWS now requires MFA for root accounts.
Be wary of web pages asking you to copy and paste commands or perform actions in Windows Run dialog (Win+R).
This matches the recently documented “ClickFix” technique where attackers trick users into running malicious commands.
For IT administrators:
Follow Microsoft’s security guidance on device authentication flows and consider disabling this feature if not required.
Enforce conditional access policies that restrict authentication based on device compliance, location, and risk factors.
Implement robust logging and monitoring for authentication events, particularly those involving new device authorizations.
Indicators of compromise (IOCs)
findcloudflare[.]com
cloudflare[.]redirectpartners[.]com
Sample JavaScript code
Decoded JavaScript code, with compromised site removed: "[removed_domain]"
Decoded JavaScript code, with compromised site removed: “[removed_domain]”
hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices […]
cyberscoop.com August 20, 2025 - A Russian state-sponsored group known as Static Tundra has persistently exploited the Cisco CVE-2018-0171 vulnerability to compromise network devices worldwide, targeting key industries and evading detection for years, according to new findings by Cisco Talos.
The group, designated “Static Tundra” by Cisco Talos, is linked to the Russian Federal Security Service’s Center 16 unit and operates as a likely sub-cluster of the broader “Energetic Bear” threat group. The operation represents one of the most persistent network device compromise campaigns documented to date, with the group maintaining undetected access to victim systems for multiple years.
According to the researchers, the group has been leveraging CVE-2018-0171, a vulnerability in Cisco IOS software’s Smart Install feature that was patched when initially disclosed in 2018. Despite the availability of patches, the group continues to find success targeting organizations that have left devices unpatched or are running end-of-life equipment that cannot be updated.
The vulnerability allows attackers to execute arbitrary code on affected devices or trigger denial-of-service conditions.
Researchers believe the group has developed automated tooling to exploit the vulnerability at scale, likely identifying targets through publicly available network scanning data from services such as Shodan or Censys.
Once initial access is gained, the group employs sophisticated techniques to extract device configuration data, which often contains credentials and network information valuable for further compromise. The attackers use a combination of Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP) tools to maintain access and collect intelligence.
The espionage campaign has affected organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Victim selection appears to align with Russia’s strategic interests, with researchers noting a significant escalation in operations against Ukrainian entities following the onset of the Russia-Ukraine conflict.
“One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then,” the Cisco Talos report states. The group expanded its targeting within Ukraine from selective, limited compromises to operations across multiple industry verticals.
WARSAW, Aug 14 (Reuters) - A large Polish city could have had its water supply cut off on Wednesday as a result of a cyberattack, a deputy prime minister said after the intrusion was foiled.
In an interview with news portal Onet on Thursday, Deputy Prime Minister Krzysztof Gawkowski, who is also digital affairs minister, did not specify who was behind the attack or which city was targeted.
Poland has said that its role as a hub for aid to Ukraine makes it a target for Russian cyberattacks and acts of sabotage. Gawkowski has described Poland in the past as the "main target" for Russia among NATO countries.
Gawkowski told Onet that the cyberattack could have meant there would be no water in one of Poland's big cities.
"At the last moment we managed to see to it that when the attack began, our services had found out about it and we shut everything down. We managed to prevent the attack."
He said Poland manages to thwart 99% of cyberattacks.
Gawkowski last year that Poland would spend over 3 billion zlotys ($800 million) to boost cybersecurity after the state news agency PAP was hit by what authorities said was likely to have been a Russian cyberattack.
The digital affairs ministry did not immediately respond to an email requesting further details.
On Wednesday Prime Minister Donald Tusk, who has warned that Russia is trying to drive a wedge between Warsaw and Kyiv, said that a young Ukrainian man had been detained for acts of sabotage on behalf of foreign intelligence services, including writing graffiti insulting Poles.
PAP reported on Thursday that a 17-year-old Ukrainian man detained, among other things, for desecrating a monument to Poles killed by Ukrainian nationalists in World War Two has been charged with participating in an organised criminal group aimed at committing crimes against Poland.
Cyberattacks are part of Russia’s hybrid warfare strategy, designed not only to cause harm, but to “demonstrate what they are capable of.”
The Norwegian Police Security Service suspects pro-Russian hackers sabotaged a dam in southwestern Norway in April.
Norwegian daily newspaper VG reported that the hackers breached the dam’s control system, opening valves for four hours, sending large amounts of water gushing forth until the valves could be shut.
The chief of the Norwegian Police Security Service (PST) Beate Gangås, disclosed the incident during a presentation on pro-Russian cyber operations at a public event on Wednesday.
According to VG, Gangås said that the number of cyberattacks on Western infrastructure was increasing, often not to cause damage but to “demonstrate what they are capable of.” She also said Norway should be prepared for further hacking attacks.
At the same event, Nils Andreas Stensønes, head of the Norwegian Intelligence Service said that Russia was the biggest threat to Norway’s security.
Cyberattacks on Western targets are part of Russia’s hybrid warfare strategy. In another water-related case in January 2024, a hacking group breached a Texas water facility’s system, causing it to overflow. The suspected hackers are linked to the Kremlin.
The dam is located in the municipality of Bremanger, approximately 150 kilometers north of the city of Bergen. Local media say that the dam is not used for energy production and that the hackers might have exploited a security gap created by a weak password.
france24.com In what it called an effort to "combat criminals," Russia said Wednesday it would restrict calls on the popular messaging apps WhatsApp and Telegram, platforms a watchdog says are used for fraud, extortion, and that involve Russian citizens in "terrorist activities."
Russia announced curbs on calls on the WhatsApp and Telegram messenger apps on Wednesday, saying that this was necessary to fight criminality, state media reported.
"In order to combat criminals, measures are being taken to partially restrict calls on these foreign messaging apps (WhatsApp and Telegram)," communications watchdog Roskomnadzor said, as quoted by the RIA and TASS news agencies.
The messenger apps have become "the main voice services used for fraud and extortion, and for involving Russian citizens in subversive and terrorist activities," the watchdog added.
Russian security services have frequently claimed that Ukraine was using Telegram to recruit people or commit acts of sabotage in Russia.
Moscow wants the messengers to provide access to data upon request from law enforcement, not only for fraud probes but also for investigating activities that Russia describes as terrorist ones.
"Access to calls in foreign messengers will be restored after they start complying with Russian legislation," Russia's digital ministry said.
In a statement sent to AFP, Telegram said it "actively combats misuse of its platform, including calls for sabotage or violence, as well as fraud" and removes "millions of pieces of harmful content every day".
Since launching its offensive in Ukraine, Russia has drastically restricted press freedom and freedom of speech online.
"WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people's right to secure communication, which is why Russia is trying to block it from over 100 million Russian people," a spokesperson for Meta-owned WhatsApp told AFP.
More than 100 million people in Russia use WhatsApp for messages and calls, and the platform is concerned that this is an effort to push them onto platforms more vulnerable to government surveillance, according to the spokesperson.
(FRANCE 24 with AFP)
The Dutch Public Prosecution Service on Monday began phased restoration of its networks after a cyberattack last month forced the agency to take down its services offline.
The agency on Monday confirmed that hackers exploited a vulnerability in a Citrix device, but said that no data was stolen or manipulated in the breach. It took systems offline on July 17 following disclosures of vulnerabilities in Citrix NetScaler ADC and Gateway appliances.,
Dutch media reported in late July that "well-informed sources" believe Russia is behind the incident. Cybersecurity experts told newspaper Algemeen Dagblad that Russian hackers were likely gathering intelligence from the prosecution office or intending to disrupt a close Western ally of Ukraine. The Netherlands has been a strong supporter of Kyiv following Moscow's 2022 invasion of Ukraine, including by transferring F-16 airplanes and training the Ukraine military. Only on Monday it pledged 500 million euros to a NATO fund purchasing U.S. munitions for Ukraine, including Patriot missile intercept systems.
A July warning from the Dutch National Cyber Security Center that hackers were targeting vulnerabilities known as Citrix Bleed 2 prompted the prosecution service to isolate its internal network. The vulnerability, tracked as CVE-2025-5777, allows attackers to bypass multifactor authentication, hijack user sessions and gain unauthorized access to the equipment (see: Attackers Actively Exploit 'Citrix Bleed 2' Vulnerability).
Netherlands intelligence agencies earlier this year fingerprinted Moscow hackers for September 2024 breach resulting in the theft of work-related contact details of all Dutch police officers. Dutch agencies said the hackers behind the police incident belonged to a new cluster of threat activity they dubbed Laundry Bear. The group shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28, the government said (see: NATO Countries Targeted By New Russian Espionage Group).
Citrix released patches for Citrix Bleed 2 on June 17. The Dutch Public Prosecution Service would not be the only organization to have succumbed to the flaw. Cybersecurity company Imperva in July reported observing more than 10 million attack attempts, although many of those were opportunistic and automated. Nor would Russia be the only nation-state to take advantage of the flaw. GreyNoise last month said it observed early exploitation attempts appearing to originate from China in what appeared to be targeted attacks.
nytimes.com 04.08 - The introduction of a state-approved messaging app has raised fears that Russia could be preparing to block WhatsApp and Telegram.
Russia is escalating its efforts to curtail online freedom, taking new steps toward a draconian state-controlled internet.
The authorities are cracking down on workarounds that Russians have been using for access to foreign apps and banned content, including through new laws signed by President Vladimir V. Putin this past week. Moscow has also been impeding the function of services from U.S. tech companies, like YouTube, that Russians have used for years.
At the same time, the Kremlin is building out a domestic ecosystem of easily monitored and censored Russian alternatives to Western tech products. That includes a new state-approved messaging service, MAX, which will come preinstalled by law on all new smartphones sold in Russia starting next month.
The idea, experts say, is to migrate more Russians from an open internet dominated by the products of Western tech giants to a censored online ecosystem, where Russians primarily use software under the gaze and influence of the state. The effort has advanced significantly amid wartime repression, but it is unclear how far it will go.
“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms.
The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added.
“They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms.
The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added.
“They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”
