[April-12-2025] Daily Cybersecurity Threat Report – Part 1

Posted on

Executive Summary:

The past 24 hours have been characterized by a significant surge in politically motivated cyber activity, primarily manifesting as Distributed Denial-of-Service (DDoS) and website defacement campaigns targeting governmental and commercial entities across Europe and Russia. Pro-Russian hacktivist group NoName057(16) conducted a sustained DDoS campaign against critical and economic infrastructure in Finland. Concurrently, the pro-Palestinian group Dark Storm Team executed DDoS attacks against government targets in Italy, Kosovo, and Bulgaria. Anonymous Italia, aligning with anti-Russian sentiment, engaged in a high-volume defacement campaign impacting numerous Russian commercial websites. Alongside this hacktivist activity, financially motivated ransomware operations persist, with incidents involving the RHYSIDA and LYNX ransomware groups targeting organizations in Canada and Australia, respectively. Furthermore, an alleged data breach involving a major Thai retailer surfaced on an underground forum, highlighting the continued threat of data theft and illicit monetization. This report details these key incidents, provides context on the threat actors involved, identifies emerging trends, and offers mitigation recommendations.

Detailed Incident Analysis:

1. RHYSIDA Ransomware Attack on Dimension Composite Inc.

  • Incident: Dimension Composite Inc., a manufacturing company in Canada (dimensioncomposite.com), was listed as a victim on the RHYSIDA ransomware group’s Tor-based leak site. The group claims to have exfiltrated the organization’s database and intends to publish it within 6-7 days if their demands are not met.
  • Date Reported: 2025-04-12T09:25:42Z
  • Attack Type: Ransomware (Double Extortion)
  • Threat Actor Context: RHYSIDA
  • RHYSIDA emerged in early 2023, operating a Ransomware-as-a-Service (RaaS) model.1 Primarily motivated by financial gain, the group employs double extortion tactics, stealing data before encryption and threatening public release to pressure victims.1
  • While initially posing as a “cybersecurity team” offering help 3, RHYSIDA targets a diverse range of industries, including manufacturing, healthcare, education, IT, and government sectors.1 They have shown a tendency to target small-to-medium-sized businesses but have also impacted larger enterprises and critical infrastructure like hospitals.3 Notable past victims include the British Library, King Edward VII’s Hospital, the Chilean Army, and Prospect Medical Holdings.1
  • Known Tactics, Techniques, and Procedures (TTPs) include:
  • Initial Access: Phishing emails, exploitation of vulnerabilities (e.g., Zerologon CVE-2020-1472), compromised VPN credentials (often where MFA is lacking), and potentially malvertising.1
  • Execution & Lateral Movement: Use of Cobalt Strike beacons, PsExec for deploying ransomware binaries and scripts (like SILENTKILL to terminate antivirus), PowerShell, and living-off-the-land techniques (RDP, native tools).2
  • Defense Evasion: Terminating antivirus processes, deleting shadow copies, modifying Active Directory passwords.3
  • Impact: File encryption using a 4096-bit RSA key with AES or ChaCha20.3 Ransom notes are dropped, and payment is typically demanded in Bitcoin.3 There are observed similarities in TTPs between RHYSIDA and the Vice Society ransomware group, particularly concerning targeting the education and healthcare sectors.3
  • Supporting Evidence:
  • Publication URL: http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/f21f8885-f487-4f86-b8bc-79fa36dc58d5.png

2. Dark Storm Team DDoS Campaigns

The Dark Storm Team was highly active, launching DDoS attacks against government entities in Italy, Kosovo, and Bulgaria.

  • Threat Actor Context: Dark Storm Team
  • Dark Storm Team emerged in late 2023, initially presenting as a pro-Palestinian hacktivist group targeting governments and organizations perceived as supporting Israel.7 Their activity surged following the October 7 Hamas-led attack on Israel.7
  • The group employs tactics similar to pro-Russian groups like Killnet, including large-scale DDoS campaigns, and has targeted NATO countries, Israel, and the U.S..7 While primarily hacktivist, they also advertise hacker-for-hire services and have been linked to promoting their own cryptocurrency, raising questions about mixed financial and political motivations.7
  • They operate primarily via Telegram channels to coordinate, claim attacks, and communicate.8 Their DDoS attacks often utilize botnets, potentially comprising IoT devices or vulnerable routers, and target web servers lacking adequate DDoS protection.9 Past high-profile claims include attacks on major airports and social media platforms like X (formerly Twitter).7 Some analysis suggests potential operational links or collaborations with other pro-Russian or Islamist-oriented groups.8
  • Incident 2: Dark Storm Team targets the website of Ministry of Agriculture, Food Sovereignty and Forestry (Italy)
  • Victim: Ministry of Agriculture, Food Sovereignty and Forestry, Government & Public Sector, Italy (Site: masaf.gov.it)
  • Date Reported: 2025-04-12T09:14:51Z
  • Attack Type: DDoS Attack
  • Summary: The group claimed a successful DDoS attack against the Italian Ministry of Agriculture, providing a check-host link as proof of downtime. This aligns with their pattern of targeting government entities in NATO countries.7
  • Supporting Evidence:
  • Publication URL: https://t.me/DarkStormTeam3/239
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/5524c80e-2e39-4568-9da0-17d3a5259138.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e54f3fkd8f
  • Incident 4: Dark Storm Team targets the website of Ministry of Foreign Affairs and International Cooperation (Italy)
  • Victim: Ministry of Foreign Affairs and International Cooperation, Government & Public Sector, Italy (Site: esteri.it)
  • Date Reported: 2025-04-12T09:08:12Z
  • Attack Type: DDoS Attack
  • Summary: Shortly before the attack on the Ministry of Agriculture, Dark Storm Team targeted Italy’s Ministry of Foreign Affairs, again providing proof of downtime. This pair of attacks suggests a focused effort against Italian government ministries.
  • Supporting Evidence:
  • Publication URL: https://t.me/DarkStormTeam3/239
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/f91cf6af-399e-4636-8924-a25fbaf5b6da.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e544a9k190
  • Incident 5: Dark Storm Team targets the website of Office of the Prime Minister (Kosovo)
  • Victim: Office of the Prime Minister, Social Media & Online Social Networking (Note: Industry likely misclassified, should be Government), Kosovo (Site: kryeministri.rks-gov.net)
  • Date Reported: 2025-04-12T08:50:27Z
  • Attack Type: DDoS Attack
  • Summary: Dark Storm Team claimed a DDoS attack against the website of Kosovo’s Prime Minister’s Office. Targeting Kosovo aligns with potential pro-Russian sympathies or general anti-Western/NATO stances.8
  • Supporting Evidence:
  • Publication URL: https://t.me/DarkStormTeam3/236
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/2145ff89-d1d5-44c0-b89e-886f2a99c779.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e50cf3kc2b
  • Incident 15: Dark Storm Team targets the website of Municipality of Montana (Bulgaria)
  • Victim: Municipality of Montana, Government & Public Sector, Bulgaria (Site: montana.bg)
  • Date Reported: 2025-04-12T07:16:35Z
  • Attack Type: DDoS Attack
  • Summary: The group initiated a series of attacks against Bulgarian local government entities, starting with the Municipality of Montana. Bulgaria, as a NATO member, fits the group’s targeting profile.8
  • Supporting Evidence:
  • Publication URL: https://t.me/DarkStormTeam3/234
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/198178e7-a82f-4359-8dca-1cd1dde323e3.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e4a018kc6
  • Incident 16: Dark Storm Team targets the website of Municipality of Razgrad (Bulgaria)
  • Victim: Municipality of Razgrad, Government & Public Sector, Bulgaria (Site: razgrad.bg)
  • Date Reported: 2025-04-12T07:10:08Z
  • Attack Type: DDoS Attack
  • Summary: Following the Montana attack, Dark Storm Team targeted another Bulgarian municipality, Razgrad, indicating a coordinated campaign against Bulgarian local government infrastructure.
  • Supporting Evidence:
  • Publication URL: https://t.me/DarkStormTeam3/234
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/7f0df14b-8320-4f3b-b096-5b6d5b0df99a.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e49e02k77f
  • Incident 26: Dark Storm Team targets the website of Municipality of Ruse (Bulgaria)
  • Victim: Municipality of Ruse, Government & Public Sector, Bulgaria (Site: obshtinaruse.bg)
  • Date Reported: 2025-04-12T06:24:50Z
  • Attack Type: DDoS Attack
  • Summary: The third Bulgarian municipality targeted within approximately an hour, reinforcing the assessment of a focused campaign against Bulgarian local government targets by Dark Storm Team.
  • Supporting Evidence:
  • Publication URL: https://t.me/DarkStormTeam3/233
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/ba1fb91b-ff78-421e-9b47-a8c1f4eec577.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e44eeak1a1

3. LYNX Ransomware Attack on Bilbie Faraday Harrison, Solicitors

  • Incident: Bilbie Faraday Harrison, Solicitors, a legal services firm in Australia (bilbie.com.au), was listed as a victim on the LYNX ransomware group’s Tor-based leak portal. The group claims data exfiltration and provides sample screenshots as proof.
  • Date Reported: 2025-04-12T09:13:21Z
  • Attack Type: Ransomware (Double Extortion)
  • Threat Actor Context: LYNX
  • LYNX ransomware emerged in mid-2024, operating as a RaaS group.13 It is widely believed to be a successor or rebranding of the INC ransomware group, sharing significant code overlap, suggesting the INC source code may have been purchased or adapted.13
  • The group employs double extortion, exfiltrating data before encryption and threatening leaks on their dedicated leak site (DLS).13 They have been observed “dripping” data (releasing small batches) to increase pressure.14
  • LYNX provides affiliates with a sophisticated platform, including ransomware builds for Windows, Linux, and ESXi (covering various architectures like ARM, MIPS, PPC), customizable encryption modes (fast, medium, slow, entire), and support services like call centers to harass victims.13 Affiliates reportedly receive a high share (e.g., 80%) of ransom proceeds.15
  • They actively recruit experienced penetration testers via underground forums.15 While primarily financially motivated 18, LYNX claims to avoid targeting healthcare, government, charities, and churches, focusing instead on sectors like finance, manufacturing, legal services, energy, and retail, often targeting SMBs in North America and Europe.13
  • Known TTPs include:
  • Initial Access: Phishing emails are a common vector.14
  • Execution: Uses tools like Scheduled Tasks for persistence.13 Employs robust encryption (e.g., Curve25519, AES-128).15 Appends ‘.LYNX’ extension to encrypted files.14
  • Defense Evasion/Impact: Attempts privilege escalation if needed, terminates processes/services (including backup-related) using tools like Restart Manager, deletes shadow copies, changes desktop wallpaper, and uniquely, may print ransom notes.14
  • Supporting Evidence:
  • Publication URL: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/67f9dfdbce8dcc3b0d52bfe5
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/de4635d4-ab53-4d63-af72-da8341f5746d.png

4. NoName057(16) DDoS Campaign Against Finland

NoName057(16) executed a high-volume DDoS campaign targeting a wide array of organizations in Finland across multiple sectors.

  • Threat Actor Context: NoName057(16)
  • NoName057(16) (also Nnm05716) is a pro-Russian hacktivist group active since March 2022, shortly after Russia’s invasion of Ukraine.20
  • Their primary motivation is political, aiming to disrupt and destabilize countries and organizations perceived as hostile to Russia or supportive of Ukraine, particularly NATO members and EU nations.20 They explicitly frame their actions as retaliation against perceived “Russophobia” or anti-Russian policies.23
  • The group specializes in DDoS attacks, utilizing their custom tool “DDOSIA”.21 They operate a crowdsourced model, recruiting volunteers via Telegram (their main communication platform) and incentivizing participation through gamification and cryptocurrency payments (“Project DDoSia”).20 This allows them to generate significant attack volume, often using HTTP/HTTPS application-layer floods launched from botnets potentially hosted on public cloud services or compromised systems.24
  • They have a high attack frequency, claiming responsibility for thousands of attacks since their inception, targeting government websites, financial institutions, transportation, energy, media, and critical infrastructure across numerous countries including Ukraine, Poland, Lithuania, Denmark, Czech Republic, Spain, Italy, Canada, and Finland.20 While attacks are often short-lived disruptions, their persistence and targeting of critical sectors pose a notable threat.23
  • Incidents 6-9, 11-14 (Collective Summary):
  • Over several hours, NoName057(16) systematically targeted Finnish organizations including:
  • Gasgrid Finland Oy (Oil & Gas / Energy TSO)
  • Codento Ltd (IT Services)
  • Enersense International Plc (Energy & Utilities)
  • Fingrid (Electrical & Electronic Manufacturing / Electricity TSO)
  • Taaleri Public Limited Company (Financial Services)
  • Neova Group Media Bank (Media/Online Platform)
  • Eezy Corporation (Staffing/Recruiting)
  • Panostaja Oyj (Venture Capital)
  • The attacks involved DDoS aimed at causing website downtime, with the group posting proof links (check-host.net reports) on their Telegram channels. This sustained campaign against diverse Finnish sectors, particularly energy (Gasgrid, Enersense, Fingrid) and finance (Taaleri, Panostaja), demonstrates their strategy of targeting critical and economic infrastructure to maximize disruption in nations opposing Russian actions.20 Finland’s status as a NATO member makes it a prime target for groups like NoName057(16).
  • Incident 6: NoName targets the website of Gasgrid Finland Oy
  • Victim: Gasgrid Finland Oy, Oil & Gas, Finland (Site: gasgrid.fi)
  • Date Reported: 2025-04-12T08:49:26Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/nnm05716rus/522
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/5d80ae96-8632-4fc4-bcda-7949a3e51b01.png, https://d34iuop8pidsy8.cloudfront.net/138d2965-7cd9-45aa-a66a-132f38019cbe.png
  • Proof of Downtime URL (from content): http://check-host.net/check-report/24e4aa86kebf
  • Incident 7: NoName targets the website of Codento Ltd
  • Victim: Codento Ltd, Information Technology (IT) Services, Finland (Site: codento.com)
  • Date Reported: 2025-04-12T08:43:37Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/nnm05716rus/522
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/acdb3997-a4ba-419b-a003-74823e3029f9.png, https://d34iuop8pidsy8.cloudfront.net/83c5ce2d-4668-4ae5-8e36-5001290ec953.png
  • Proof of Downtime URL (from content): http://check-host.net/check-report/24e4a983k237
  • Incident 8: NoName targets the website of Enersense International Plc
  • Victim: Enersense International Plc, Energy & Utilities, Finland (Site: enersense.com)
  • Date Reported: 2025-04-12T08:41:28Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/c/2538273458/189
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/8e27dc07-542b-4500-b4e4-25e69a78c638.png, https://d34iuop8pidsy8.cloudfront.net/e40b3fa2-0020-43df-a0da-992bfe456985.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e4add7k40
  • Incident 9: NoName targets the website of Fingrid
  • Victim: Fingrid, Electrical & Electronic Manufacturing, Finland (Site: fingrid.fi)
  • Date Reported: 2025-04-12T08:36:45Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/c/2538273458/189
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/fc83905b-7110-445e-ab5d-fda62e349aed.png, https://d34iuop8pidsy8.cloudfront.net/689e5970-0732-466a-8a9f-05595fd8831e.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e4ab2ek139
  • Incident 11: NoName targets the website of Taaleri Public Limited Company
  • Victim: Taaleri Public Limited Company, Financial Services, Finland (Site: taaleri.com)
  • Date Reported: 2025-04-12T08:34:07Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/nnm05716rus/522
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/c5a7029a-f72b-48e6-9af4-0177bc81ca43.png, https://d34iuop8pidsy8.cloudfront.net/d313c6ec-e0d1-4c9e-b39a-af49f2029f2a.png
  • Proof of Downtime URL (from content): http://check-host.net/check-report/24e4a60ek209
  • Incident 12: NoName targets the website of Neova Group Media Bank
  • Victim: Neova Group Media Bank, Social Media & Online Social Networking (Note: Likely a corporate media portal), Finland (Site: mediabank.neova-group.com)
  • Date Reported: 2025-04-12T08:32:11Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/c/2538273458/189
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/39e3725e-2523-444f-a4a4-905b69f705ec.png, https://d34iuop8pidsy8.cloudfront.net/f9c9aa78-c77f-41f7-a456-18df83694cb3.png
  • Proof of Downtime URL (from content): https://check-host.net/check-report/24e4ab01kd97
  • Incident 13: NoName targets the website of Eezy Corporation
  • Victim: Eezy Corporation, Staffing/Recruiting, Finland (Site: eezy.fi)
  • Date Reported: 2025-04-12T07:43:10Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/nnm05716rus/521
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/3130d4b4-9d20-4598-a26b-5f100df1c0ae.png, https://d34iuop8pidsy8.cloudfront.net/3da51ada-bc8b-4c98-bc75-650294f17e98.png
  • Proof of Downtime URLs (from content): http://check-host.net/check-report/24e4a3d9k635, http://check-host.net/check-report/24e4a3ebkaaf, http://check-host.net/check-report/24e4a645kbf3, http://check-host.net/check-report/24e4a5f6k1f9
  • Incident 14: NoName targets the website of Panostaja Oyj
  • Victim: Panostaja Oyj, Venture Capital, Finland (Site: panostaja.fi)
  • Date Reported: 2025-04-12T07:27:32Z
  • Attack Type: DDoS Attack
  • Supporting Evidence:
  • Publication URL: https://t.me/nnm05716rus/521
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/1fc47783-2b11-4a8c-afb6-0dd43c4a2c4f.png, https://d34iuop8pidsy8.cloudfront.net/d288d2d7-b468-491f-9b49-107b6b6c46db.png
  • Proof of Downtime URL (from content): http://check-host.net/check-report/24e4a312k10d

5. Alleged Data Breach Sale by Krqtos

  • Incident: A threat actor using the alias “Krqtos” posted on the cybercrime forum BreachForums, claiming to sell the database of Home Product Center Public Company Limited, a major Thai retailer (homepro.co.th). The actor alleges the database contains nearly 18 million records, including sensitive customer PII such as names, contact details, addresses, purchase history, and invoice links.
  • Date Reported: 2025-04-12T08:35:38Z
  • Attack Type: Data Breach (Alleged Sale)
  • Threat Actor Context: Krqtos & BreachForums
  • Specific information on the threat actor “Krqtos” is limited based on the provided materials, beyond their activity on BreachForums. Their motivation appears financial, seeking to monetize allegedly stolen data.
  • BreachForums itself is a well-known English-language cybercrime forum that serves as a marketplace for stolen data, hacking tools, and other illicit services.27 It emerged as a successor to the seized RaidForums and has faced its own law enforcement takedowns and administrator arrests, yet persists under new operators like the ShinyHunters group.27 The platform facilitates the activities of numerous financially motivated threat actors who buy, sell, and trade compromised information. The presence of this alleged data sale on BreachForums underscores the forum’s continued role in the cybercrime ecosystem, enabling the monetization of large-scale data breaches.27 The scale of the claimed data (17.9M records) suggests a significant potential impact on affected customers if the breach is confirmed.
  • Supporting Evidence:
  • Publication URL: https://breachforums.st/Thread-DATABASE-Database-Homepro-co-th-17-917-927M-Thailand
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/446247f2-1388-46d6-b29a-aa0f35848055.png

6. Anonymous Italia Defacement Campaign Against Russia

Anonymous Italia conducted a rapid series of website defacements targeting various Russian commercial entities.

  • Threat Actor Context: Anonymous Italia
  • Anonymous Italia is a regional cell or collective operating under the banner of the wider Anonymous movement. Anonymous is a decentralized, international hacktivist collective known for cyberattacks against governments, corporations, and other organizations.29
  • Their motivations are typically ideological, centered around anti-censorship, free speech, social justice, and political protest.29 The collective operates with a loose structure, often coordinating actions via online forums or messaging platforms.29
  • Common tactics include DDoS attacks, website defacements, data leaks, and doxing.30 Defacements are used to display messages, embarrass targets, and signal opposition.30
  • Since the 2022 invasion of Ukraine, various Anonymous factions have actively targeted Russian entities as part of operations like #OpRussia, protesting the war and Russian government actions.32 The attacks observed today fit this pattern of politically motivated hacktivism against Russian targets.
  • Incidents 17-25, 27 (Collective Summary):
  • Within approximately 90 minutes, Anonymous Italia claimed responsibility for defacing at least 11 different Russian websites. The targets spanned various industries, with a notable concentration in Building and Construction, but also including Restaurants, Publishing, and Education.
  • Specific targets included: ITALREFLEXES, Jilda Decor, AtrioDesign, PORTOFINO, Konstantin Mazurenko (Publishing), Drevliki (Education), Cafe Trial, ArtSkyDeco, Restora, and uslugisantehnika-elektrikaufa.
  • This high-volume, rapid-fire campaign exemplifies Anonymous’s capability for coordinated action, likely leveraging automated tools or exploiting common vulnerabilities across Russian websites. The primary goal appears to be disruption, spreading anti-Russian messaging, and demonstrating opposition through visible, albeit often temporary, website alterations.30 The diversity of targets suggests either opportunistic attacks or a broad effort to impact various facets of Russian commerce and society.
  • Incident 17: Anonymous Italia targets the website of ITALREFLEXES
  • Victim: ITALREFLEXES, Building and construction, Russia (Site: italreflexes.ru)
  • Date Reported: 2025-04-12T06:52:03Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/651
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/ff371e0a-bd09-499a-bc79-4408aba13ff8.png
  • Incident 18: Anonymous Italia targets the website of Jilda Decor
  • Victim: Jilda Decor, Building and construction, Russia (Site: jilda-decor.ru)
  • Date Reported: 2025-04-12T06:50:22Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/630
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/e49c9dbd-6416-4aa6-a7e7-b5885824796f.png
  • Incident 19: Anonymous Italia targets the website of AtrioDesign
  • Victim: AtrioDesign, Building and construction, Russia (Site: atriodesign.ru)
  • Date Reported: 2025-04-12T06:50:02Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/645
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/34712ddc-dd9a-4720-b04f-d8f7de5f6c52.png
  • Incident 20: Anonymous Italia targets the website of PORTOFINO
  • Victim: PORTOFINO, Building and construction, Russia (Site: portofinoselecta.ru)
  • Date Reported: 2025-04-12T06:49:51Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/643
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/4a01dc80-4ada-4894-8315-8b1bb065bf61.png
  • Incident 21: Anonymous Italia targets the website of Konstantin Mazurenko
  • Victim: Konstantin Mazurenko, Publishing Industry, Russia (Site: mkkonst.ru)
  • Date Reported: 2025-04-12T06:46:26Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/649
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/2a10a1d5-424d-4266-9fb8-cd2ec7734f7f.png
  • Incident 22: Anonymous Italia targets the website of Drevliki
  • Victim: Drevliki, Education, Russia (Site: drevliki.ru)
  • Date Reported: 2025-04-12T06:39:06Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/647
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/29dd8279-968a-4e0c-9fae-52514899196f.png
  • Incident 23: Anonymous Italia targets the website of Cafe Trial
  • Victim: Cafe Trial, Restaurants, Russia (Site: cafetrial.ru)
  • Date Reported: 2025-04-12T06:35:50Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/624
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/5cf9b16a-dcc7-4843-b581-d804a0dc412e.png
  • Incident 24: Anonymous Italia targets the website of ArtSkyDeco
  • Victim: ArtSkyDeco, Building and construction, Russia (Site: artskydeco.ru)
  • Date Reported: 2025-04-12T06:32:58Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/641
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/b8e99bcd-2f30-443e-b6b1-1a82364514e2.png
  • Incident 25: Anonymous Italia targets the website of Restora
  • Victim: Restora, Restaurants, Russia (Site: pominki.org.ru)
  • Date Reported: 2025-04-12T06:28:11Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/622
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/33d546eb-8ba7-4a58-8fba-2d05fe7ecc32.png
  • Incident 27: Anonymous Italia targets the website of uslugisantehnika-elektrikaufa
  • Victim: uslugisantehnika-elektrikaufa, Building and construction, Russia (Site: uslugisantehnika-elektrikaufa.ru)
  • Date Reported: 2025-04-12T06:23:53Z
  • Attack Type: Defacement
  • Supporting Evidence:
  • Publication URL: https://t.me/AnonSecIta_Ops/638
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/01572b70-db01-4b18-bc51-26d552234b49.png

Emerging Trends & Observations:

  • Dominance of Geopolitically Motivated Hacktivism: The overwhelming majority of reported incidents were DDoS or defacement attacks conducted by groups with clear political agendas (NoName057(16) – pro-Russian; Dark Storm Team – pro-Palestinian/anti-NATO; Anonymous Italia – anti-Russian/pro-Ukraine). This highlights how cyber operations are increasingly used as tools for protest, retaliation, and disruption in the context of international conflicts and tensions.20 The alignment of targets (NATO/EU/Ukraine supporters vs. Russia) directly mirrors these geopolitical fault lines.
  • Targeting Beyond Government Entities: While government sites remain key targets (Ministries in Italy, Municipalities in Bulgaria, PMO in Kosovo), hacktivist groups, particularly NoName057(16), demonstrated a clear strategy of targeting critical national infrastructure and economically significant sectors in Finland.20 Attacks on energy providers (Gasgrid, Enersense, Fingrid), financial services (Taaleri), IT services (Codento), and other commercial entities represent an escalation aimed at causing broader societal and economic disruption, moving beyond purely symbolic website takedowns.23
  • Persistence of Financially Motivated Ransomware (RaaS Ecosystem): Despite the noise from hacktivist campaigns, sophisticated ransomware operations like RHYSIDA and LYNX continue their activities, leveraging RaaS models and double extortion tactics.1 The RaaS model, facilitating access to advanced tools and infrastructure for affiliates 5, and the potential for code reuse or adaptation (as seen with LYNX/INC 14) contribute to the resilience and proliferation of these threats across various industries (Manufacturing, Legal Services observed today). Different RaaS groups exhibit varied targeting strategies, possibly reflecting different risk calculations; for instance, LYNX claims to avoid certain critical sectors like healthcare 13, whereas RHYSIDA is known to target them.1
  • Underground Data Economy: The alleged sale of a large customer database from a Thai retailer by “Krqtos” on BreachForums 27 underscores the active cybercrime economy focused on monetizing stolen data. While distinct from the hacktivist campaigns observed, this incident highlights the parallel threat landscape where data breaches are packaged and sold on dedicated underground platforms. These platforms serve as crucial enablers for financially motivated cybercrime, potentially benefiting indirectly from the disruption or vulnerabilities exposed by other types of cyber activity.

Mitigation Recommendations:

Based on the observed threats and TTPs, organizations should prioritize the following defensive measures:

  • Against DDoS Attacks (NoName057(16), Dark Storm Team):
  • Deploy comprehensive DDoS mitigation solutions capable of handling high-volume, application-layer (HTTP/S) attacks, incorporating cloud-based scrubbing and potentially on-premise defenses.22
  • Utilize Web Application Firewalls (WAFs) with advanced features like intelligent rate limiting, CAPTCHA challenges, geo-blocking, and sophisticated bot detection.22
  • Ensure adequate network infrastructure capacity and maintain tested DDoS-specific incident response plans.36
  • Against Ransomware (RHYSIDA, LYNX):
  • Prevention: Mandate phishing-resistant Multi-Factor Authentication (MFA) across all remote access points (VPN, RDP, Email) and critical systems.2 Implement aggressive vulnerability management, prioritizing patching of known exploited vulnerabilities (KEVs) 2, especially for internet-facing systems and Active Directory.1 Enhance email security gateways to detect and block malicious attachments and links.1 Restrict and monitor the use of administrative tools like PowerShell and PsExec.2 Implement network segmentation to contain potential breaches.2
  • Detection & Response: Utilize Endpoint Detection and Response (EDR) tools with behavioral analysis capabilities to identify anomalous activities like mass file encryption, shadow copy deletion, or security service termination.15 Monitor for known ransomware TTPs.3
  • Recovery: Maintain a robust backup strategy with regular, tested, offline, and immutable backups.3
  • Against Data Breaches & Unauthorized Access (Krqtos, General):
  • Secure web applications against common flaws (e.g., SQLi, XSS) through secure coding practices and regular security testing.30
  • Enforce strong password policies and credential management. Monitor for credential exposure in public code repositories or data dumps.39
  • Implement comprehensive logging and monitoring across networks and systems, establishing baselines to detect anomalies.3 Apply the principle of least privilege to user accounts and service permissions.37
  • Against Defacement (Anonymous Italia):
  • Harden web server configurations and keep Content Management Systems (CMS), themes, and plugins updated.
  • Implement file integrity monitoring systems to alert on unauthorized website changes.
  • Restrict file and directory permissions on the web server.
  • General Security Hygiene:
  • Conduct regular security awareness training for all employees, focusing on identifying phishing, social engineering, and secure credential practices.4
  • Develop, maintain, and regularly test comprehensive incident response plans tailored to various cyber threat scenarios.36
  • Leverage threat intelligence services to maintain situational awareness of evolving threats, TTPs, and active campaigns.

Works cited

  1. Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware – Recorded Future, accessed April 12, 2025, https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
  2. Rhysida ransomware: The creepy crawling criminal hiding in the dark – Barracuda Blog, accessed April 12, 2025, https://blog.barracuda.com/2024/05/09/rhysida-ransomware–the-creepy-crawling-criminal-hiding-in-the-d
  3. Ransomware Spotlight: Rhysida | Trend Micro (US), accessed April 12, 2025, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida
  4. Rhysida – SentinelOne, accessed April 12, 2025, https://www.sentinelone.com/anthology/rhysida/
  5. #StopRansomware: Rhysida Ransomware | CISA, accessed April 12, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
  6. Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks, accessed April 12, 2025, https://www.hipaajournal.com/updated-mitigations-rhysida-ransomware-nov-23/
  7. Dark Storm Team – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Dark_Storm_Team
  8. Cyber Insight DarkStorm Team – Orange Cyberdefense, accessed April 12, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/DARKSTORMTEAM/DarkStormTeam-EN.pdf
  9. Massive DDoS on X: Dark Storm or Cyber Fog? | Bitsight, accessed April 12, 2025, https://www.bitsight.com/blog/massive-ddos-cyber-fog
  10. Dark Storm Team: The Hacker Group Behind the DDoS Attack on X (Twitter) – Foresiet, accessed April 12, 2025, https://foresiet.com/blog/dark-storm-team-the-hacker-group-behind-the-ddos-attack-on-x-twitter
  11. X Faces Cyberattack: Dark Storm Team Takes Credit, Musk Blames Ukraine – SOCRadar, accessed April 12, 2025, https://socradar.io/x-faces-cyberattack-dark-storm-team-takes-credit-musk-blames-ukraine/
  12. X suffered a DDoS attack. Its CEO and security researchers can’t agree on who did it., accessed April 12, 2025, https://cyberscoop.com/x-ddos-attack-researchers-elon-musk-dark-storm/
  13. Lynx Ransomware Group: Tactics, Targets, And Defense Strategies – Cyble, accessed April 12, 2025, https://cyble.com/threat-actor-profiles/lynx-ransomware/
  14. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 12, 2025, https://darktrace.com/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  15. Lynx Ransomware Group Unveiled with Sophisticated Affiliate Program, accessed April 12, 2025, https://www.infosecurity-magazine.com/news/lynx-ransomware-sophisticated/
  16. Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself – Picus Security, accessed April 12, 2025, https://www.picussecurity.com/resource/blog/lynx-ransomware
  17. In-Depth Analysis of Lynx Ransomware – Nextron Systems, accessed April 12, 2025, https://www.nextron-systems.com/2024/10/11/in-depth-analysis-of-lynx-ransomware/
  18. Ransomware Groups Demystified: Lynx Ransomware | Rapid7 Blog, accessed April 12, 2025, https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/
  19. Cat’s out of the bag: Lynx Ransomware-as-a-Service | Group-IB Blog, accessed April 12, 2025, https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
  20. Unmasking NoName057(16): Botnets, DDoSia, and NATO – CybelAngel, accessed April 12, 2025, https://cybelangel.com/unmasking-noname05716/
  21. Noname057(16) – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Noname057(16)
  22. NoName057(16): Pro-Russian Hacktivist Group – Radware, accessed April 12, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
  23. NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO | SentinelOne, accessed April 12, 2025, https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
  24. NoName057(16) – NetScout Systems, accessed April 12, 2025, https://www.netscout.com/blog/asert/noname057-16
  25. Pro-Russia Hackers NoName057(16) Hit Italian Banks and Airports – Infosecurity Magazine, accessed April 12, 2025, https://www.infosecurity-magazine.com/news/noname05716-hit-italian-banks/
  26. Russian DDoS Groups Frothing After Europe Backs Ukraine – BankInfoSecurity, accessed April 12, 2025, https://www.bankinfosecurity.com/blogs/russian-ddos-hacktivist-groups-decry-europe-backing-ukraine-p-3831
  27. BreachForums – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/BreachForums
  28. Feds seize BreachForums platform, Telegram page, accessed April 12, 2025, https://therecord.media/breachforums-platform-seized-by-fbi-doj
  29. Anonymous (hacker group) – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  30. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed April 12, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
  31. Understanding Hacktivists: The Overlap of Ideology and Cybercrime | Trend Micro (IE), accessed April 12, 2025, https://www.trendmicro.com/vinfo/ie/security/news/cybercrime-and-digital-threats/understanding-hacktivists-the-overlap-of-ideology-and-cybercrime
  32. Hacktivism: Means and motivations … what else? – Infosec, accessed April 12, 2025, https://www.infosecinstitute.com/resources/general-security/hacktivism-means-and-motivations-what-else/
  33. What is Hacktivism | Types, Ethics, History & Examples – Imperva, accessed April 12, 2025, https://www.imperva.com/learn/application-security/hacktivism/
  34. What is Hacktivism? – Check Point Software, accessed April 12, 2025, https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-hacktivism/
  35. Full article: Becoming a hacktivist. Examining the motivations and the processes that prompt an individual to engage in hacktivism, accessed April 12, 2025, https://www.tandfonline.com/doi/full/10.1080/0735648X.2023.2216189
  36. DDoS Attack Causes Major Outage: Live Updates On Dark Storm Team’s High-Speed Cyber Assault On X, accessed April 12, 2025, https://www.my.publicpower.org/platform/dark-storm-team-claims-ddos-attack-on-x-causing-major-outage-live-updates
  37. Nation-State Cyber Actors | Cybersecurity and Infrastructure Security Agency CISA, accessed April 12, 2025, https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors
  38. Kratos Cybersecurity: Cybersecurity Compliance Services, accessed April 12, 2025, https://www.kratoscyber.com/

Related Posts