ictjournal.ch - Pendant des années, le groupe de hackers pro-russe «Noname057(16)» a mené des attaques DDoS contre des serveurs occidentaux, y compris des infrastructures critiques en Suisse. Les autorités judiciaires ont désormais démantelé un botnet du groupe et procédé à des arrestations. Le Ministère public de la Confédération suisse (MPC) a émis trois mandats d’arrêt.
Les autorités judiciaires de plusieurs pays ont mené une opération coordonnée contre le groupe de hackers «Noname057(16)». Lors de l’Action-Day, lancée par Europol après plusieurs années d’enquête, des perquisitions ont eu lieu dans plusieurs pays, selon un communiqué du Ministère public de la Confédération suisse (MPC). Les autorités ont saisi des équipements et arrêté des personnes – tandis qu’en Suisse, «aucun ordinateur impliqué dans le réseau et dans les attaques ni aucune personne domiciliée dans le pays n’ont été identifiés».
Les mesures coordonnées à l’échelle internationale, baptisées Opération Eastwood, ont permis de démanteler un botnet constitué de plusieurs centaines de serveurs répartis dans le monde entier, selon l’Office fédéral de la police criminelle allemande (BKA). Le groupe «Noname057(16)» exploitait ce réseau pour lancer des attaques DDoS, des cyberattaques visant à surcharger délibérément des serveurs.
Trois mandats d’arrêt émis par la Suisse
Le groupe «Noname057(16)» s’est constitué un casier judiciaire conséquent ces dernières années. Le groupe pro-russe se manifeste régulièrement depuis le début de la guerre en Ukraine en mars 2022, indique le MPC. Ce collectif de hackers a mené des attaques DDoS contre de nombreux pays occidentaux qu’il considère comme pro-ukranien. À plusieurs reprises, des serveurs suisses, y compris des infrastructures sensibles, ont été ciblés. Ces attaques interviennent généralement lors d’événements liés à l’Ukraine.
Pour rappel, le groupe hacktiviste a paralysé les sites web du Parlement en été 2023, à l’occasion d’un discours vidéo du président ukrainien Volodymyr Zelensky devant l’Assemblée fédérale. En janvier 2024, les hackers sont redevenus actifs lors de la visite du président ukrainien au Forum économique mondial (WEF). Un an plus tard, les sites de la ville de Lucerne ainsi que de la Banque cantonale vaudoise ont également été ciblés. Des attaques hacktivistes ont aussi eu lieu en juin 2024 lors de la conférence de Bürgenstock pour la paix et pendant le Concours Eurovision de la chanson en mai 2025.
En juin 2023, le Ministère public de la Confédération a ouvert une enquête pénale contre des inconnus pour détérioration de données et contrainte, selon le communiqué. Dans le cadre des investigations internationales coordonnées, plusieurs membres du groupe de hackers ont pu être identifiés dont trois personnes clés présumées. Le MPC a étendu son enquête contre ces derniers et a émis des mandats d’arrêt à leur encontre.
Dans le cadre de l’Action-Day du 15 juillet 2025, les autorités de Suisse et d’Allemagne ont été rejointes par celles des États-Unis, des Pays-Bas, de la Suède, de la France, de l’Espagne et de l’Italie. L’opération a bénéficié du soutien d’Europol, d’Eurojust et d’autres pays européens, précise la police fédérale allemande (BKA). En Suisse, le MPC et l'Office fédéral de la police (Fedpol) ont contribué à l'enquête.
Le MPC considère les résultats de l’opération comme la preuve que «les autorités de poursuite pénale sont aussi en mesure d’identifier des cybercriminels hautement professionnels et d’offrir une protection contre leurs attaques». Le MPC souligne l’importance de la coopération internationale dans la lutte contre la cybercriminalité transfrontalière.
theregister.com - Exclusive Aviation insiders say Serbia's national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling.
Internal memos, seen by The Register, dated July 10 told staff: "Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips.
"The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses."
Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable.
HR warned staff earlier in the day against opening emails that appeared to be related to payslips, or those that mention the staff members' first and last names "as if you sent them to yourself."
"We also kindly ask that you act responsibly given the current situation."
According to other internal comms seen by The Register, Air Serbia's IT team began emailing staff warning them that it was facing a cyberattack on July 4.
"Our company is currently facing cyberattacks, which may lead to temporary disruptions in business processes," they read.
"We kindly ask all managers to promptly create a work plan adapted to the changed circumstances, in accordance with the Business Continuity Plan, and to communicate it to their teams as soon as possible."
The same email communication chain mentioned the company's IT and security manager issuing a staff-wide password reset and installing security-scanning software on their machines on July 7.
All service accounts were killed at this point, which affected several automated processes, and datacenters were added to a demilitarized zone, which led to issues with users not being able to sync their passwords.
Additionally, internet access was removed for all endpoints, leaving only a certain few whitelisted pages under the airserbia.com domain available.
IT also installed a new VPN client "due to identified security vulnerabilities."
"We kindly ask you to take this situation seriously and fully cooperate with the IT team," the memo reads. "Please allow them to install the necessary software as efficiently as possible and carefully follow any further instructions they provide."
Two days after this, another wave of password resets came, the source said. Instead of allowing users to choose their own, the replacements followed a template from the sysadmins.
On July 11, IT issued a third wave of password resets, and staff were asked to leave their PCs locked but open before heading home for the weekend, so the IT team could continue working on them.
A source familiar with the matter, who spoke to The Register on condition of anonymity, said Air Serbia is trying to clean up a cyberattack that led to a deep compromise of its Active Directory.
As of July 14, the source claimed the airline's blue team has not fully eradicated the attackers' access to the company network and is not sure when the attackers broke in, due to a lack of security logs, although it is thought to be in the first few days of July.
The attack at the company, which is government-owned, is likely to have led to personal data compromise, the insider suspects, and some staff expressed concern that the company might not publicly disclose the intrusion.
bankinfosecurity.com - Hacker Claims to Have Exploited Flaw in Oracle WebLogic Server, Sold Stolen Data
A hacker claims to have stolen and sold the personal data of clients of Seychelles Commercial Bank. The bank, which provides personal and corporate services on Seychelles, one of the world's smallest countries, notified customers of a hack, but said only personal information - not money - was stolen.
The archipelago nation in the Indian Ocean, located northeast of Madagascar, sports 98,000 inhabitants, ranks as the richest country in Africa and has a reputation for being a tax haven.
Seychelles Commercial Bank on Friday said it "recently identified and contained a cybersecurity incident, which has resulted in its internet banking services being temporarily suspended," and requested customers "make use of our ATMs or visit one of our branches during normal banking hours."
In its breach notification, the bank told customers: "SCB regrets to inform that this cyber incident resulted in unintentional exposure of personal information of internet banking customers only. The bank reassures all its internet banking customers that no funds have been accessed."
Cyberattack disrupted UNFI’s operations in June; company estimates $50–$60 million net income hit but anticipates insurance will cover most losses.
United Natural Foods, Inc. (NYSE: UNFI), the main distributor for Amazon’s Whole Foods, said the June 2025 cyberattack that caused disruptions to business operations will impact fiscal 2025 net sales by an estimated $350 to $400 million.
In an update on Wednesday, the Rhode Island-based natural food products giant said “anticipated insurance” proceeds would significantly offset those loses.
“The Company estimates that the cyber incident will impact fiscal 2025 net sales by approximately $350 to $400 million, net (loss) income by $50 to $60 million, which includes the estimated tax impact, and adjusted EBITDA by approximately $40 to $50 million,” the company said in a business update on July 16th. “These estimates do not reflect the benefit of anticipated insurance proceeds, which the Company expects will be adequate for the incident. The Company does not currently expect a meaningful operational or financial impact beyond the fourth quarter of fiscal 2025 aside from insurance reimbursement.”
The company revealed in a filing with the SEC on June 9 that it had detected unauthorized activity on some IT systems on June 5. In response to the intrusion, certain systems were taken offline, which impacted its ability to fulfill and distribute customer orders.
UNFI advertises itself as the largest full-service grocery partner in North America, delivering products to over 30,000 locations, including natural product superstores, conventional supermarket chains, e-commerce providers, and independent retailers. With more than $30 billion in annual revenue, the company offers more than 250,000 natural, organic and conventional SKUs through its more than 50 distribution centers.
“We are grateful to our customers, suppliers, and associates for their resilience and collaboration as we worked through a challenging period for all of us. With our operations returning to more normalized levels, we remain focused on adding value for our customers and suppliers while becoming a more efficient and effective partner,” said Sandy Douglas, UNFI’s CEO.
The Company updated its full-year outlook to reflect its strong performance for the first three fiscal quarters of 2025 and the estimated costs and charges associated with the June cyber incident.
koreaherald.com - Seoul Guarantee Insurance, South Korea's largest provider of guarantee insurance, has been crippled by a ransomware attack, with its core systems offline for a third straight day.
The incident began early Monday, when SGI reported an “abnormal symptom” in its database system. By Tuesday afternoon, a joint investigation by the Financial Supervisory Service and the Financial Security Institute confirmed it was caused by a ransomware breach.
As a pivotal player in Korea’s guarantee insurance industry, SGI’s disruption is generating widespread confusion and inconvenience. The insurer provides guarantees for both individuals and corporations, with a guarantee balance of 478 trillion won ($344.4 billion) as of end-2024.
The impact is particularly severe in the housing market, where many rely on guarantee insurance for the “jeonse” rental system, where renters pay a large, refundable deposit in exchange for no monthly rent. SGI is one of the leading providers in this space, offering the highest cap on jeonse loan guarantees at 500 million won, compared to 200 million to 400 million won from other institutions.
While some services have been restored through cooperation with financial institutions, SGI’s main data system remains inoperative as of Wednesday morning. In urgent cases, the company has resorted to issuing handwritten guarantee certificates to minimize disruption.
Starting Wednesday, the insurer is operating an emergency center to collect reports of consumer damage and support recovery. “We vow full compensation and are planning responsible follow-up measures,” said SGI President and CEO Lee Myung-soon.
This is the first full-system disruption at a Korean financial institution caused by a ransomware attack and a second such case involving a Korean company this year. In June, major online bookstore Yes24 experienced a five-day outage and an estimated 10 billion won in lost sales due to a similar breach.
