[April-18-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

Overview: April 18, 2025, witnessed a significant volume of cyber activity, predominantly characterized by Distributed Denial-of-Service (DDoS) attacks orchestrated by hacktivist groups with apparent geopolitical motivations. Pro-Russian actors, alongside other ideologically driven collectives, targeted governmental, financial, energy, and media entities, particularly in Poland, India, Brazil, Kosovo, and Sweden. Concurrently, cybercriminal activities persisted, with notable offerings of large-scale databases and initial network access appearing on underground forums, highlighting the ongoing threat of data breaches and financially motivated intrusions.

Key Trends:

  • Dominance of Hacktivist DDoS: The threat landscape was heavily influenced by DDoS campaigns attributed to groups including NoName057(16), AnonSec, Al Ahad, Dark Storm Team, and Keymous+. These attacks often appeared linked to geopolitical stances, targeting nations perceived as opposing the actors’ interests, such as NATO members supporting Ukraine or countries involved in other regional conflicts.1
  • Targeting Patterns: Specific geographical concentrations of attacks were observed: NoName057(16) focused heavily on Poland across multiple sectors (Financial Services, Manufacturing, Software Development, Energy, Oil & Gas, Newspapers & Journalism). AnonSec targeted Indian Government Administration and Banking sectors. Al Ahad directed attacks against Government Administration and Education in Brazil and Ukraine. Dark Storm Team launched a broad campaign against Government Administration, Education, Energy, and other sectors in Kosovo, alongside a US telecommunications target. Keymous+ targeted Education, Business Development, Media Production, and Financial Services in Sweden.
  • Cybercriminal Activity: Distinct from hacktivist disruption, financially motivated actors were active. The actor using the handle “betway” advertised the alleged sale of substantial databases from Liberty Latin America (Network & Telecommunications) and Y-Axis Overseas (Professional Services, India) on the exploit.in forum. Another actor, “decider,” offered Domain Admin RDP access to an unnamed Brazilian building materials firm, operating as an Initial Access Broker (IAB).5 These activities underscore the persistent threat of data compromise and network intrusions driven by profit motives.8
  • Platform Usage: Telegram remained a central communication and coordination platform for many hacktivist groups, used for claiming attacks, disseminating propaganda, and sometimes sharing tools or TTPs.1 Underground forums like exploit.in served as marketplaces for illicit data and access sales.5

Significant Incidents: The alleged data breaches involving Liberty Latin America (potentially 500,000 records) and Y-Axis Overseas (potentially over 2 million records) represent significant potential exposures of sensitive personal and business information.5 The coordinated DDoS campaigns against numerous government ministries in Kosovo by Dark Storm Team and the multi-sector targeting of Poland by NoName057(16) highlight the disruptive capabilities of these hacktivist groups.

Table: Threat Actor Activity Summary (April 18, 2025)

Threat ActorIncident CountPrimary CategoryKey Targets (Countries/Sectors)Motivation Type (Inferred)
NoName057(16)6DDoS AttackPoland (Financial, Manufacturing, Software, Energy, Oil&Gas, Media)Hacktivism / Pro-Russian
AnonSec5DDoS AttackIndia (Govt Admin, Banking)Hacktivism
Al Ahad5DDoS AttackBrazil (Govt Admin, Education), Ukraine (Govt Admin, Political Org)Hacktivism
Dark Storm Team10DDoS AttackKosovo (Education, Energy, Govt Admin), USA (Other Industry/Telecom)Hacktivism / Pro-Palestine / Anti-West
Keymous+4DDoS AttackSweden (Education, Business Dev, Media Production, Financial Services)Hacktivism / Anti-West (potential)
betway2Data Breach (Sale)Global/Latin America (Telecom), India (Professional Services)Financial
decider1Initial Access (Sale)Brazil (Building/Construction)Financial
RuskiNet2DDoS Attack, Initial Access (Leak Claim)Switzerland (Govt Relations/Banking), Taiwan (IT Services)Hacktivism / Pro-Russian / Financial?
Anonymous Jordan1Alert (Tool Development)N/AHacktivism

This table provides a consolidated view of the primary actors observed, their activity volume, preferred tactics, targets, and likely motivations based on the day’s events and available intelligence. It facilitates rapid situational awareness regarding the most prominent threats during this period.

This section provides profiles for the key threat actors involved in the incidents reported on April 18, 2025, based on observed activity and available threat intelligence.

  • NoName057(16) (Aliases: NONAME, NoName05716, 05716nnm, Nnm05716, DDoSia)
  • Profile: NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022, shortly after the full-scale invasion of Ukraine.1 The group primarily focuses on conducting Distributed Denial-of-Service (DDoS) attacks.
  • Motivations: Their actions are explicitly driven by geopolitical alignment with Russia. They target government organizations, critical infrastructure, and private companies in Ukraine, NATO member states, and other nations perceived as critical of Russia’s actions.1 Their stated goal often revolves around silencing what they deem “anti-Russian” narratives or retaliating against actions supporting Ukraine.1 Today’s intense focus on Polish targets is consistent with their previous campaigns against Poland, a key supporter of Ukraine and host to NATO assets.1 Attacks are often timed in response to specific geopolitical events or statements made by targeted nations.1
  • TTPs: The group’s primary weapon is DDoS attacks, particularly Layer 7 web DDoS attacks targeting specific, high-impact components of websites like search forms or login pages, identified through pre-attack reconnaissance.14 They utilize a custom DDoS tool known as “DDOSIA” (also referred to as Dosia or Go Stresser) and rely heavily on crowdsourcing, recruiting volunteers through their Telegram channels to run the tool.1 Telegram serves as their main hub for claiming responsibility, issuing threats, disseminating propaganda, recruiting volunteers, and even providing basic explanations of attack concepts.1 They actively seek recognition for their attacks, monitoring online mentions and even Wikipedia entries.1
  • Impact & Context: While NoName057(16) aims for disruption, the operational impact of their DDoS attacks is often temporary, causing short-lived service outages.1 The concentration of six distinct attacks against various Polish sectors (financial, manufacturing, software, energy, media) within a few hours on this date demonstrates their capacity for coordinated campaigns. This suggests a level of planning and resource mobilization, likely leveraging their DDOSIA volunteer network, sufficient to execute multiple concurrent attacks against a single nation, reflecting operational capability despite the potentially limited long-term consequences of each individual attack.1
  • AnonSec
  • Profile: Based on the observed activity targeting Indian entities, AnonSec appears to operate as a hacktivist group. The name choice may be intended to associate the group with the broader, decentralized “Anonymous” collective, known for politically or socially motivated cyber actions, including DDoS attacks and vigilantism.15 However, direct affiliation cannot be confirmed from available information. Such naming conventions are sometimes adopted by groups seeking notoriety.8
  • Motivations: The motivation is likely hacktivism, potentially stemming from regional political disputes, social grievances, or general anti-government sentiment within or related to India. Specific drivers for the attacks on April 18th are not detailed in available intelligence. General hacktivist aims include promoting specific ideologies, protesting perceived injustices, or simply causing disruption to raise awareness for a cause.8
  • TTPs: The group employed DDoS attacks in all recorded incidents on this date. Their use of Telegram for publishing claims (indicated by the published_url format) and reliance on check-host.net links to provide proof of downtime are common practices among contemporary hacktivist groups.
  • Impact & Context: The selection of targets – including the Indian Air Force, Income Tax India, Bhubaneswar Municipal Corporation, Mehsana Urban Co Op Ltd., and Shivalik Small Finance Bank – spans military, central government administration, local government, and the banking sector. This broad targeting suggests an intent to cause widespread disruption and potentially undermine public confidence in various facets of India’s digital infrastructure, rather than focusing on a single specific grievance. This aligns with common hacktivist strategies aimed at making a broad statement against a state or its institutions.8
  • Dark Storm Team
  • Profile: Dark Storm Team emerged in mid-2023 and identifies as a hacktivist collective, vocal in its support for Palestine and opposition to Israel and its allies.3 Intelligence suggests potential links or alignment with pro-Russian hacktivist circles.3 Their activities encompass DDoS attacks, data theft, and potentially ransomware, indicating a blend of ideological and financial motivations.3
  • Motivations: The group’s primary driver appears to be political and ideological, focused on pro-Palestine and anti-Western/anti-Israel/anti-NATO sentiments.4 However, they also advertise DDoS-for-hire services on Telegram, introducing a financial motivation alongside their hacktivism.4 The extensive targeting of Kosovo’s government ministries today likely relates to Kosovo’s geopolitical alignment or perceived alliances that conflict with the group’s interests. The simultaneous attack against Mediacom, a US telecom company, reinforces their documented anti-Western operational focus.4
  • TTPs: DDoS attacks are their most frequently observed tactic.10 They are known to leverage large botnets, potentially comprising thousands of compromised devices, and utilize proxies or VPN services to obfuscate their origins.4 Telegram is their primary platform for communication, attack claims, threats, and advertising their illicit services.4 They often provide “proof links” from services like check-host.net to validate their DDoS claims.10 It is noted that, like other hacktivist groups, Dark Storm Team has occasionally claimed responsibility for incidents falsely, likely to gain notoriety or market their services.3
  • Impact & Context: The barrage of attacks against numerous Kosovo government ministries (including Education, Economy, Justice, Health, Finance, Internal Affairs, Local Government Administration, Regional Development, and Industry) within a short timeframe points to a highly coordinated campaign. This action was likely intended to disrupt governmental operations significantly, driven by Kosovo’s political stance. The concurrent attack on a US entity underscores the group’s broader anti-Western agenda and demonstrates their capacity to engage targets across different regions simultaneously.4
  • Al Ahad
  • Profile: Al Ahad manifested as a hacktivist group on this date, executing DDoS attacks against government and educational institutions in both Brazil and Ukraine. The name “Al Ahad” (meaning “The One” in Arabic, often used in a religious context) might suggest religious or specific political motivations, but concrete details linking this cyber group to known entities or ideologies are absent in the available intelligence. While some hacktivist groups, like the Holy League, explicitly invoke religious justifications for their actions against Western targets 17, and media reports mention an “al-Ahad Radio” associated with specific factions in Iraq 19, any connection to this cyber actor remains speculative.
  • Motivations: The group’s actions align with hacktivism, likely driven by political opposition to the targeted governments (Brazil, Ukraine) or support for adversarial causes. The simultaneous targeting of entities in two geographically and politically distinct countries is notable and could indicate broad geopolitical motivations, separate concurrent campaigns, or opportunistic targeting based on perceived vulnerabilities.
  • TTPs: All observed activity involved DDoS attacks. The group utilizes Telegram for disseminating attack claims and employs check-host.net links to provide evidence of service disruption.
  • Impact & Context: Targeting educational and governmental bodies in both Brazil and Ukraine concurrently presents an unusual pattern. Without a clear understanding of Al Ahad’s specific ideology or objectives, interpreting the strategic intent is challenging. It could reflect opposition to policies or alliances common to both nations (though less probable), distinct campaigns driven by different facets of their agenda, or simply opportunistic attacks against vulnerable targets identified across different regions. This ambiguity highlights the need for further intelligence gathering on this particular group.
  • “betway” (Actor Handle)
  • Profile: This identifier refers to an actor operating on the exploit.in hacking forum, observed selling large databases allegedly obtained from victim organizations. It is crucial to distinguish this actor handle from the Betway gambling company; while a past incident involved a hacker selling data purportedly from Betway 12, there is no confirmed link between that event and this specific actor handle “betway”. This actor operates on forums accessible via the standard web (“openweb”).
  • Motivations: The actor’s motivation is unequivocally financial gain, characteristic of data brokers active in the cybercriminal underground.5 Their business model involves monetizing stolen data by selling it to other malicious actors for use in activities like phishing, identity theft, or further intrusions.
  • TTPs: The core TTP is Data Sale/Brokering, which implies prior Data Exfiltration either by this actor or an upstream source. They operate on specific underground forums known for such transactions.5 To facilitate sales, they provide detailed descriptions of the database contents (e.g., record counts, data types like PII, business details) and sometimes offer samples.12 The types of data claimed (personal details, company information, emails, addresses, financial indicators) are high-value commodities on these markets.5
  • Impact & Context: The offering of two substantial databases – allegedly from Liberty Latin America (LLA) with ~500,000 rows and Y-Axis Overseas with over 2 million records – in rapid succession suggests this actor is either highly active in compromising targets or has reliable access to a supply chain of stolen data. This positions “betway” as a potentially significant player in the data brokerage ecosystem. The detailed nature of the compromised information described (names, contacts, professional history, financial data, etc.) poses severe risks to the individuals and businesses affected, including identity theft, targeted spear-phishing campaigns, financial fraud, and corporate espionage.5 Such sales fuel subsequent cybercriminal activities by providing valuable resources to other threat actors.
  • “decider” (Actor Handle)
  • Profile: “decider” was observed on the exploit.in forum offering Initial Access to a corporate network. Specifically, they claimed to be selling Remote Desktop Protocol (RDP) access with Domain Administrator privileges for an unidentified building materials firm located in Brazil. This actor profile aligns with that of an Initial Access Broker (IAB).
  • Motivations: The motivation is financial profit.8 IABs specialize in gaining unauthorized entry into networks and then selling that access, often to ransomware affiliates or other actors planning large-scale attacks, rather than exploiting the access themselves.6
  • TTPs: The primary TTP is Access Brokering, predicated on successful prior Network Intrusion and likely Credential Compromise or Privilege Escalation. They operate on underground forums frequented by cybercriminals. The specific offering – Domain Admin RDP access – represents a high level of privilege and is particularly valuable to attackers seeking to deploy ransomware or exfiltrate data across an entire network.6 Common methods used by IABs to gain initial access include exploiting vulnerabilities in public-facing services like VPNs, RDP, or web applications 6, or utilizing phishing campaigns.7
  • Impact & Context: The sale of Domain Administrator access indicates a critical security failure at the victim organization. Possession of such credentials grants subsequent attackers near-complete control over the Windows domain environment, enabling activities like disabling security tools, deploying malware (including ransomware) network-wide, exfiltrating sensitive data, and establishing persistent backdoors.6 The presence of actors like “decider” highlights the specialization and modularity within the cybercrime ecosystem, where different actors contribute specific capabilities (e.g., initial access, malware deployment, data exfiltration, ransom negotiation) to the overall attack lifecycle. This offering signals a high probability of a severe follow-on attack against the targeted Brazilian firm.
  • RuskiNet
  • Profile: The name “RuskiNet” strongly suggests a pro-Russian or Russian-affiliated orientation. Their activities on this date included a DDoS attack against Swiss Banking and an alleged leak of access credentials for Edimax, a Taiwanese IT services company. This combination of targets and tactics aligns with patterns observed among Russian state-sponsored or nationalist hacktivist/cybercriminal groups.11
  • Motivations: The motivations appear mixed. The DDoS attack against Swiss Banking likely represents politically motivated hacktivism, targeting a financial institution in a Western nation often perceived as adversarial or involved in sanctions.11 The alleged access leak for Edimax could serve financial purposes (selling access), espionage (gathering intelligence from a tech company), or disruptive goals (enabling sabotage). Pro-Russian actors are known to engage in all these types of operations.11
  • TTPs: Observed TTPs include DDoS attacks and potentially Initial Access Brokerage or Data Leakage (based on the Edimax claim). The group utilizes Telegram for communication and disseminating claims.
  • Impact & Context: The dual nature of RuskiNet’s reported actions – disruptive DDoS against a financial target and claimed intrusive access against a technology firm – suggests a versatile threat actor. They may not be limited to simple hacktivism but possess capabilities for deeper network intrusions, potentially blending ideological goals with cybercrime or espionage objectives. This multifaceted approach is common among state-aligned or nationalist cyber groups seeking to exert influence through various means.11 Targeting Swiss banking fits the pattern of disrupting Western financial systems, while targeting a Taiwanese tech firm could align with broader geopolitical strategies involving technology supply chains or regional power dynamics.
  • Anonymous Jordan
  • Profile: This group uses the “Anonymous” moniker, associating itself with the global decentralized hacktivist movement, while specifying a connection to Jordan. The broader Anonymous collective typically focuses on anti-censorship, social and political protests, and internet vigilantism, often employing DDoS attacks or website defacements.15 The specific agenda of Anonymous Jordan is not clear from the available information.
  • Motivations: Likely hacktivism, driven by political or social issues relevant to Jordan, the Middle East region, or international causes adopted by the group.
  • TTPs: The notable activity reported today is the development and announcement of a specific hacking tool – described as a “website cloning tool.” This tool reportedly aims to extract website scripts, identify hidden pages and directories, discover software components, and locate administrative panels. This indicates a focus on reconnaissance and vulnerability discovery, potentially preceding more targeted exploitation attempts.
  • Impact & Context: The development of a custom reconnaissance tool marks a potential evolution beyond the simpler DDoS tactics often associated with Anonymous actions.15 Such a tool facilitates more sophisticated attack planning by enabling detailed mapping of a target website’s structure and potential weaknesses (e.g., outdated components, exposed admin interfaces, injectable parameters). Announcing this tool on Telegram likely serves to enhance the group’s reputation, attract members with technical skills, share capabilities within their network, and potentially intimidate targets. It signifies a move towards more technically involved operations, potentially enabling more data breaches, defacements, or system compromises attributed to the group or individuals using their tool.
  • Keymous+
  • Profile: Keymous+ emerged as a hacktivist group targeting multiple prominent Swedish organizations across various sectors (Education, Business Development, Media, Finance). The “+” suffix might indicate an evolution from or affiliation with a previous entity named “Keymous.” Limited external information connects a “keymous+” Telegram channel with claims against Tesla 4, potentially suggesting an anti-Western or anti-corporate stance, possibly aligning with broader pro-Russian or anti-NATO narratives, especially considering Sweden’s recent geopolitical shifts regarding NATO.
  • Motivations: The motivation appears to be hacktivism, likely driven by opposition to Swedish government policies, its international alignment (e.g., NATO membership), or specific corporate actions. Targeting diverse and significant institutions suggests an intent to cause broad societal disruption within Sweden as a form of protest or pressure.
  • TTPs: The group executed DDoS attacks against all its targets on this date. They utilize Telegram for announcing their actions and rely on check-host.net links to provide proof of the resulting service disruptions.
  • Impact & Context: The coordinated targeting of Chalmers University of Technology, Svenskt Näringsliv (Confederation of Swedish Enterprise), TT News Agency, and Swedfund International represents an attack on key pillars of Swedish society: higher education and research, business and economic development, national news dissemination, and state-owned development finance. This pattern suggests a deliberate campaign aimed at maximizing visibility and disruptive impact, likely intended as a political statement against Sweden, consistent with hacktivist objectives in response to perceived grievances or geopolitical developments.

3. Detailed Incident Reports

This section details the specific cybersecurity incidents recorded on April 18, 2025, integrating context about the threat actors involved.

Incident Title: NoName057(16) targets BLIK (DDoS Attack)

Date/Time: 2025-04-18T09:19:17Z

Victim: blik (Financial Services, Poland) | Site: blik.com

Category: DDoS Attack

Threat Actor: NONAME (Alias for NoName057(16))

Summary & Context: The pro-Russian hacktivist group NoName057(16) claimed responsibility for a DDoS attack targeting the website of BLIK, a major Polish mobile payment system. This attack is part of a broader campaign observed today against Polish entities across various sectors. NoName057(16) frequently targets organizations in NATO countries, particularly those actively supporting Ukraine, such as Poland.1 The group utilizes DDoS attacks as its primary method to disrupt services and make political statements.1 This incident aligns perfectly with their known modus operandi and geopolitical motivations, aiming to disrupt a key component of Poland’s financial infrastructure. The actors provided a check-host.net link as proof of downtime, a common tactic for this group.10

Supporting Links:

  • Published URL: https://t.me/nnm05716rus/601
  • Proof/Source Link: check-host.net/check-report/251651a7kb7
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/0c737128-e9f6-4b3e-8991-e9ad45313991.png, https://d34iuop8pidsy8.cloudfront.net/fc8ff266-6222-4056-b7a8-398067676718.png

Incident Title: NoName057(16) targets Fabryka Broni Lucznik Radom (DDoS Attack)

Date/Time: 2025-04-18T09:03:40Z

Victim: fabryka broni lucznik radom (Manufacturing, Poland) | Site: fabrykabroni.pl

Category: DDoS Attack

Threat Actor: NONAME (Alias for NoName057(16))

Summary & Context: NoName057(16), a pro-Russian hacktivist group, conducted a DDoS attack against Fabryka Broni “Łucznik” – Radom, a significant Polish firearms manufacturer. This attack aligns with the group’s pattern of targeting entities in countries critical of Russia’s invasion of Ukraine, particularly those involved in defense or manufacturing sectors supporting Ukraine or NATO allies.1 Poland’s role as a key arms supplier to Ukraine makes its defense industry a logical target for groups like NoName057(16) seeking to disrupt and retaliate.1 The use of DDoS and providing proof via check-host.net is consistent with their standard TTPs.1

Supporting Links:

  • Published URL: https://t.me/nnm05716rus/601
  • Proof/Source Link: check-host.net/check-report/2516515fk85c
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/8c541754-1d7a-4f8b-bd69-8c50b1494351.png, https://d34iuop8pidsy8.cloudfront.net/d9a50919-7cea-4c1f-969e-2d60f84f5109.png

Incident Title: NoName057(16) targets Marketplanet (DDoS Attack)

Date/Time: 2025-04-18T08:54:42Z

Victim: marketplanet (Software Development, Poland) | Site: marketplanet.pl

Category: DDoS Attack

Threat Actor: NoName057(16)

Summary & Context: The pro-Russian hacktivist group NoName057(16) targeted Marketplanet, a Polish e-procurement platform provider. This attack is part of the group’s coordinated DDoS campaign against Polish organizations observed today. While Marketplanet is in the software development sector, its focus on procurement platforms could be seen as part of the broader economic infrastructure that NoName057(16) seeks to disrupt in nations opposing Russia.1 The attack methodology (DDoS) and claim validation (check-host.net link) are typical for this actor.1

Supporting Links:

  • Published URL: https://t.me/nnm05716rus/601
  • Proof/Source Link: check-host.net/check-report/25165154kb12
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/f464879b-5d97-467d-b6f5-425daa109487.png, https://d34iuop8pidsy8.cloudfront.net/e3338784-479c-4d16-85d2-43786c982609.png

Incident Title: NoName057(16) targets PGE Polska Grupa Energetyczna (DDoS Attack)

Date/Time: 2025-04-18T07:58:44Z

Victim: pge polish energy group joint stock company (Energy & Utilities, Poland) | Site: gkpge.pl

Category: DDoS Attack

Threat Actor: NoName057(16)

Summary & Context: NoName057(16) continued its DDoS campaign against Poland by targeting PGE Polska Grupa Energetyczna, a major state-owned energy company. Critical infrastructure, especially in the energy sector, is a frequent target for politically motivated hacktivist groups like NoName057(16) aiming to cause significant disruption in countries opposing their agenda.1 Attacking Poland’s energy infrastructure aligns with their goal of imposing costs on nations supporting Ukraine.1 The group claimed the attack on their English-language Telegram channel, providing a check-host.net link as proof of impact.10

Supporting Links:

  • Published URL: https://t.me/nnm05716eng/222
  • Proof/Source Link: https://check-host.net/check-report/25164c18k16
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c24fcf0b-0a1f-4304-a755-75a59fa04e15.png, https://d34iuop8pidsy8.cloudfront.net/62f58b2d-2093-434a-8350-eb5afb1a9395.png

Incident Title: NoName057(16) targets PGNiG (DDoS Attack)

Date/Time: 2025-04-18T07:43:08Z

Victim: pgnig retail trading sp. z o. o. (Oil & Gas, Poland) | Site: biznes24.pgnig.pl

Category: DDoS Attack

Threat Actor: NoName057(16)

Summary & Context: The pro-Russian group NoName057(16) targeted the business customer portal of PGNiG (now part of Orlen Group), Poland’s dominant oil and gas company. This attack further demonstrates the group’s focus on Poland’s critical energy infrastructure as part of its broader campaign against NATO supporters.1 Disrupting energy services, even customer portals, aligns with their objective of causing inconvenience and economic impact in targeted nations.1 The claim was made via Telegram, including a check-host.net proof link.10

Supporting Links:

  • Published URL: https://t.me/nnm05716eng/222
  • Proof/Source Link: https://check-host.net/check-report/25164bd3k7ac
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/4ce382f4-cae2-421f-9cf0-9987d6d8ba4b.png, https://d34iuop8pidsy8.cloudfront.net/bcb3ee87-2509-4397-80f9-68ebf98bbf94.png

Incident Title: NoName057(16) targets Polska Press Grupa (DDoS Attack)

Date/Time: 2025-04-18T07:37:17Z

Victim: polska press sp. z o. o. (Newspapers & Journalism, Poland) | Site: polskapress.pl

Category: DDoS Attack

Threat Actor: NoName057(16)

Summary & Context: Completing its observed wave of attacks against Poland today, NoName057(16) targeted Polska Press Grupa, a major Polish media group. Media organizations, especially those in countries deemed hostile, are frequent targets for NoName057(16), aligning with their stated goal of silencing perceived anti-Russian narratives.1 Disrupting access to news sources is a common tactic for politically motivated hacktivists seeking to control information flow or punish outlets for their coverage.1 The attack was claimed on Telegram with a corresponding check-host.net link.10

Supporting Links:

  • Published URL: https://t.me/nnm05716eng/222
  • Proof/Source Link: https://check-host.net/check-report/25164b9aka87
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/803ec1de-a00e-4063-be30-1818e5cb04cf.png, https://d34iuop8pidsy8.cloudfront.net/719430f5-cdb4-4b8b-a20f-cf0990857325.png

Incident Title: AnonSec targets the website of Indian Air Force (DDoS Attack)

Date/Time: 2025-04-18T05:17:01Z

Victim: indian air force (Government Administration, India) | Site: indianairforce.nic.in

Category: DDoS Attack

Threat Actor: AnonSec

Summary & Context: The hacktivist group AnonSec claimed a DDoS attack against the official website of the Indian Air Force. Targeting a high-profile military website is a common tactic for hacktivist groups seeking visibility and aiming to embarrass or disrupt government functions.8 While AnonSec’s specific motives are unclear, hacktivist actions are often driven by political protest, ideological opposition, or regional conflicts.8 This attack was part of a series targeting Indian government and financial institutions today. The claim was made via a private Telegram channel link, with a check-host.net link for proof.

Supporting Links:

  • Published URL: https://t.me/c/2389372004/250
  • Proof/Source Link: https://check-host.net/check-report/25158816k4d5
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/93c8cd94-368a-451b-8d73-fe532e81bdf9.jpg

Incident Title: AnonSec targets the website of Income Tax India (DDoS Attack)

Date/Time: 2025-04-18T05:16:46Z

Victim: income tax india (Government Administration, India) | Site: incometaxindia.gov.in

Category: DDoS Attack

Threat Actor: AnonSec

Summary & Context: AnonSec conducted a DDoS attack targeting the website of India’s Income Tax Department. This attack, occurring almost simultaneously with the strike against the Indian Air Force, further indicates a coordinated campaign against Indian government entities. Disrupting access to essential government services like tax administration can cause public inconvenience and undermine trust in government digital infrastructure, aligning with typical hacktivist goals.8 The claim was made via Telegram, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/c/2389372004/250
  • Proof/Source Link: https://check-host.net/check-report/251586b9ka8
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/13923f05-3524-4f3e-8558-7cc489a321fb.jpg

Incident Title: AnonSec targets the website of Mehsana Urban Co Op Ltd. (DDoS Attack)

Date/Time: 2025-04-18T05:08:35Z

Victim: mehsana urban co op ltd. (Banking & Mortgage, India) | Site: mucbank.com

Category: DDoS Attack

Threat Actor: AnonSec

Summary & Context: The hacktivist group AnonSec targeted Mehsana Urban Co Op Ltd., an Indian cooperative bank, with a DDoS attack. This incident, along with another bank targeted shortly after, shows AnonSec expanding its campaign beyond government sites to include the Indian financial sector. Disrupting banking services is a common hacktivist tactic aimed at causing economic inconvenience and demonstrating the vulnerability of financial institutions.8 The claim appeared on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/c/2389372004/250
  • Proof/Source Link: https://check-host.net/check-report/2515714fk768
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/1910b9c3-28dd-439d-be8e-b81a2a011a61.png, https://d34iuop8pidsy8.cloudfront.net/4b5e1e4b-9a16-4366-80f1-5be868b4cb20.png

Incident Title: AnonSec targets Bhubaneswar Municipal Corporation (DDoS Attack)

Date/Time: 2025-04-18T05:03:59Z

Victim: bhubaneswar municipal corporation (Government Administration, India) | Site: bmc.gov.in

Category: DDoS Attack

Threat Actor: AnonSec

Summary & Context: AnonSec claimed a DDoS attack against the website of the Bhubaneswar Municipal Corporation in India. Targeting local government entities is another tactic used by hacktivists to cause disruption at various administrative levels and gain attention.8 This attack further broadens the scope of AnonSec’s campaign against Indian targets observed today. The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/c/2389372004/250
  • Proof/Source Link: https://check-host.net/check-report/25158527k755
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/148114e5-3e1a-4018-8d7d-40fdbe8113e2.jpg, https://d34iuop8pidsy8.cloudfront.net/c573d2eb-441d-463f-8ea4-53b0a0b5af41.jpg

Incident Title: AnonSec targets the website of Shivalik Small Finance Bank (DDoS Attack)

Date/Time: 2025-04-18T05:02:49Z

Victim: shivalik small finance bank (Banking & Mortgage, India) | Site: shivalikbank.com

Category: DDoS Attack

Threat Actor: AnonSec

Summary & Context: AnonSec concluded its observed series of attacks today by targeting Shivalik Small Finance Bank with a DDoS attack. This second attack on an Indian financial institution within minutes reinforces the group’s focus on disrupting this sector alongside government targets. The motivation remains consistent with general hacktivist aims of causing disruption and demonstrating vulnerability.8 The claim was made via Telegram, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/c/2389372004/250
  • Proof/Source Link: https://check-host.net/check-report/251575aek9ab
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/39e0a062-9cff-4e24-8e27-1627e1945fd8.png, https://d34iuop8pidsy8.cloudfront.net/550864ce-9639-469f-9627-2f4e79f5549d.png

Incident Title: Alleged database sale of Liberty Latin America (LLA) (Data Breach)

Date/Time: 2025-04-18T04:52:34Z

Victim: liberty latin america (lla) (Network & Telecommunications, ) | Site: lla.com

Category: Data Breach

Threat Actor: betway (Actor Handle)

Summary & Context: An actor using the handle “betway” posted on the exploit.in forum, offering for sale an alleged database belonging to Liberty Latin America (LLA), a major telecommunications provider. The actor claims the data originates from April 2025 and contains approximately 500,000 rows of user information. Exposed data purportedly includes names, titles, company affiliations, email addresses, physical addresses, industry details, revenue figures, employee counts, and other personal and business data. This incident represents a potentially significant data breach driven by financial motives, typical of data brokers operating in underground markets.5 The sale of such comprehensive data poses substantial risks of identity theft, sophisticated phishing attacks, corporate espionage, and other forms of fraud for the affected individuals and companies.5 The actor’s operation on exploit.in aligns with common TTPs for monetizing stolen data.5

Supporting Links:

  • Published URL: https://forum.exploit.in/topic/257625/
  • Proof/Source Link: N/A (Contained in post)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/961352d7-4c75-4342-8e84-ce3ff741fd69.png

Incident Title: Alleged Database Sale of Y-Axis Overseas (Data Breach)

Date/Time: 2025-04-18T04:41:18Z

Victim: y-axis overseas (Professional Services, India) | Site: y-axis.com

Category: Data Breach

Threat Actor: betway (Actor Handle)

Summary & Context: The same actor, “betway,” also advertised the sale of an alleged database from Y-Axis Overseas, an immigration and visa consultancy firm based in India. This database is claimed to contain over 2 million user records, allegedly breached in April 2025. The exposed information is described as highly detailed, including full names, birthdates, job titles, email addresses, phone numbers, educational backgrounds, employment histories, salary details, visa statuses, and more. Similar to the LLA offering, this is a financially motivated attempt to sell compromised data.5 The sheer volume and sensitivity of the claimed data (personal, professional, financial, immigration status) make this alleged breach extremely serious, exposing victims to severe risks of identity theft, fraud, targeted scams, and potential exploitation related to their immigration status.12 This second large offering by “betway” on the same day suggests significant activity by this data broker.5

Supporting Links:

  • Published URL: https://forum.exploit.in/topic/257624/
  • Proof/Source Link: N/A (Contained in post)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/aeaf507e-2bdc-4483-b6ba-075e07e325c4.png

Incident Title: Al Ahad targets the website of Ministry of Education (DDoS Attack)

Date/Time: 2025-04-18T04:03:10Z

Victim: ministry of education (Government Administration, Brazil) | Site: mec.gov.br

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: The hacktivist group Al Ahad claimed responsibility for a DDoS attack against Brazil’s Ministry of Education website. This attack was part of a series targeting Brazilian educational and governmental institutions today. While the specific motivations of Al Ahad are unclear, targeting government ministries aligns with general hacktivist objectives of disruption and political statement.8 The claim was made via Telegram, including a check-host.net link for verification.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/118
  • Proof/Source Link: https://check-host.net/check-report/25151fe5k356
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/48018936-5687-4a6d-bc7d-afb9f595da13.png

Incident Title: Al Ahad targets the website of Universidade Federal de São Carlos – UFSCar Oficial (DDoS Attack)

Date/Time: 2025-04-18T04:02:58Z

Victim: universidade federal de são carlos – ufscar oficial (Education, Brazil) | Site: ufscar.br

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: Almost concurrently with the attack on the Ministry of Education, Al Ahad targeted the Federal University of São Carlos (UFSCar) in Brazil with a DDoS attack. Attacking educational institutions is a common tactic for hacktivists seeking to disrupt services and gain attention.8 This incident reinforces Al Ahad’s focus on Brazilian targets within both government and education sectors today. The claim appeared on Telegram with a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/118
  • Proof/Source Link: https://check-host.net/check-report/25152154k482
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/b7c1db96-b992-46f1-a1da-941e35836d19.png

Incident Title: Al Ahad targets the website of UERJ (DDoS Attack)

Date/Time: 2025-04-18T03:53:06Z

Victim: uerj (Education, Brazil) | Site: uerj.br

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: Al Ahad continued its campaign against Brazilian educational institutions by launching a DDoS attack against the Rio de Janeiro State University (UERJ). This attack further solidifies the group’s focus on disrupting Brazil’s education sector today, consistent with hacktivist disruption tactics.8 The claim was disseminated via Telegram, including a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/118
  • Proof/Source Link: https://check-host.net/check-report/25151a62kf35
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/78a7745f-3c02-4401-8758-91f04967cc4d.png

Incident Title: Al Ahad targets the website of University of Brasilia (DDoS Attack)

Date/Time: 2025-04-18T03:53:01Z

Victim: university of brasilia (Education, Brazil) | Site: unb.br

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: The hacktivist group Al Ahad targeted the University of Brasilia (UnB) with a DDoS attack, adding another major Brazilian university to its list of victims today. This sustained focus on educational targets suggests a deliberate effort to disrupt academic activities and infrastructure within Brazil.8 The claim was made on Telegram, accompanied by a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/118
  • Proof/Source Link: https://check-host.net/check-report/25151707k2b4
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/fac3121c-c8d1-4d02-92b7-95093b23c09c.png

Incident Title: Al Ahad targets the website of National Institute of Educational Studies and Research Anísio Teixeira – Inep (DDoS Attack)

Date/Time: 2025-04-18T03:52:56Z

Victim: national institute of educational studies and research anísio teixeira – inep (Government Administration, Brazil) | Site: inep.gov.br

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: Al Ahad also targeted INEP, a Brazilian federal agency linked to the Ministry of Education responsible for educational assessments. This attack bridges the group’s targeting of both educational institutions and government administration within Brazil today. Disrupting an agency responsible for national educational standards aligns with the goal of causing significant interference in the country’s education system.8 The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/118
  • Proof/Source Link: https://check-host.net/check-report/25150ecbk74c
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/6916aca7-d6ae-4ee9-9e3e-22fbf42071d4.png

Incident Title: Dark Storm Team targets the website of Ministry of Education Science Technology and Innovation, Republic of Kosovo (DDoS Attack)

Date/Time: 2025-04-18T03:07:47Z

Victim: ministry of education science technology and innovation, republic of kosovo (Education, Kosovo) | Site: masht.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: The hacktivist group Dark Storm Team launched a DDoS attack against Kosovo’s Ministry of Education, Science, Technology and Innovation. This was one of numerous attacks by the group against Kosovo government ministries today. Dark Storm Team, known for its pro-Palestine and anti-Western stance 3, likely targeted Kosovo due to its geopolitical alignment. Disrupting government services like education is a standard tactic for this group.10 The claim was made on Telegram with a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514c374ke4c
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/e1c4f08e-ffd9-4327-acb4-fce831454eb1.png, https://d34iuop8pidsy8.cloudfront.net/cd80c168-cbc9-41f7-b161-64c5bbbecb69.png

Incident Title: Dark Storm Team targets the website of Ministry of Economy of the Republic of Kosovo (DDoS Attack)

Date/Time: 2025-04-18T03:06:04Z

Victim: ministry of economy of the republic of kosovo (Energy & Utilities, Kosovo) | Site: me.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Dark Storm Team continued its assault on Kosovo’s government by targeting the Ministry of Economy with a DDoS attack. This ministry often oversees critical sectors like energy, making it a strategic target for disruption.10 The attack aligns with Dark Storm Team’s pattern of targeting government infrastructure in nations perceived as adversaries.4 The claim was posted on Telegram, including a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514c494k9c
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a117b9e2-92e9-42ea-895f-f01802df71b0.png, https://d34iuop8pidsy8.cloudfront.net/b5ebac1a-2508-426f-96f3-a341ca98cad5.png

Incident Title: Alleged Sale of Domain Admin Access to Unidentified Brazil Building materials Firm (Initial Access)

Date/Time: 2025-04-18T03:01:15Z

Victim: (Building and construction, Brazil) | Site: N/A

Category: Initial Access

Threat Actor: decider (Actor Handle)

Summary & Context: An actor using the handle “decider” advertised the sale of unauthorized Domain Administrator-level RDP access to an unnamed building materials company in Brazil. This actor is operating as an Initial Access Broker (IAB), specializing in breaching networks and selling access to other cybercriminals, often ransomware groups.6 Domain Admin access provides the highest level of control within a Windows network, making it extremely valuable for attackers planning widespread compromise, data theft, or ransomware deployment.6 This offering indicates a severe breach at the victim company and poses an imminent threat of a major follow-on attack. The sale was advertised on the exploit.in forum, a known marketplace for such illicit goods.5

Supporting Links:

  • Published URL: https://forum.exploit.in/topic/257623/
  • Proof/Source Link: N/A (Contained in post)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/2c23a261-5ba5-495a-8ec0-2aef0626d5fd.png

Incident Title: Dark Storm Team targets the website of MINISTRY OF JUSTICE OF THE REPUBLIC OF KOSOVO (DDoS Attack)

Date/Time: 2025-04-18T03:00:04Z

Victim: ministry of justice of the republic of kosovo (Government Administration, Kosovo) | Site: md.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: The hacktivist group Dark Storm Team targeted Kosovo’s Ministry of Justice with a DDoS attack as part of its ongoing campaign against the country’s government infrastructure. Attacking judicial bodies aligns with the goal of disrupting core state functions and expressing political opposition.4 The claim was made via Telegram, providing a check-host.net link as validation.10

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514cb91k880
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/733f7b8b-7f6c-4051-8f07-8f2c3267a5a0.png, https://d34iuop8pidsy8.cloudfront.net/357d4a2b-f109-421f-ad63-b89642cea498.png

Incident Title: Dark Storm Team targets the website of Ministry of Health of Kosovo (DDoS Attack)

Date/Time: 2025-04-18T02:56:47Z

Victim: ministry of health of kosovo (Government Administration, Kosovo) | Site: msh.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Dark Storm Team directed a DDoS attack against the Ministry of Health in Kosovo. Targeting healthcare-related government bodies during a broader campaign against a nation’s infrastructure is a tactic used to maximize disruption and potentially impact public well-being, amplifying the group’s message.4 This attack fits the pattern of Dark Storm Team’s multi-pronged assault on Kosovo’s government today. The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514be24kcb9
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/37f7ab30-6ab4-48fa-95c9-5fd0795ad570.png, https://d34iuop8pidsy8.cloudfront.net/6bf20d51-6418-4791-94f6-a515c3d23425.png

Incident Title: Dark Storm Team targets the website of Ministry of Finance / Republic of Kosovo (DDoS Attack)

Date/Time: 2025-04-18T02:56:37Z

Victim: ministry of finance / republic of kosovo (Government Administration, Kosovo) | Site: mf.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Kosovo’s Ministry of Finance was targeted by a DDoS attack from Dark Storm Team. Attacking financial ministries aims to disrupt economic administration and potentially impact financial operations, representing a significant target within the group’s campaign against Kosovo’s government.4 The claim was made via Telegram, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514bda5k7ce
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/122d37f4-eb06-4178-b7af-45c16f7dfd42.png, https://d34iuop8pidsy8.cloudfront.net/17e2c675-0190-499b-a3b2-04f6a49bfb90.png

Incident Title: Dark Storm Team targets the website of Ministry of Internal Affairs of Kosovo (DDoS Attack)

Date/Time: 2025-04-18T02:56:29Z

Victim: ministry of internal affairs of kosovo (Government Administration, Kosovo) | Site: mpb.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Dark Storm Team launched a DDoS attack against Kosovo’s Ministry of Internal Affairs. Targeting internal security and law enforcement bodies is a common objective for hacktivist groups seeking to undermine state authority and security functions.4 This attack is another component of the group’s coordinated assault on Kosovo today. The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514bccckea6
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/946349b6-2150-4348-9773-06cff3dadb32.png, https://d34iuop8pidsy8.cloudfront.net/ad9e78bd-d39b-4360-b774-6c765de9a2f4.png

Incident Title: Dark Storm Team targets the website of Ministry of Local Government Administration (DDoS Attack)

Date/Time: 2025-04-18T02:53:06Z

Victim: ministry of local government administration (Government Administration, Kosovo) | Site: mapl.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: The Ministry of Local Government Administration in Kosovo was subjected to a DDoS attack by Dark Storm Team. This continues the pattern of targeting various branches of Kosovo’s government to cause widespread disruption.4 The claim was made on Telegram, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514c757kf9f
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/5ab0237d-9419-46e2-9ece-809cba6e2f87.png, https://d34iuop8pidsy8.cloudfront.net/7a141c9d-e550-43ba-ad67-1ffb553631a1.png

Incident Title: Dark Storm Team targets the website of Ministry of Regional Development (DDoS Attack)

Date/Time: 2025-04-18T02:46:52Z

Victim: ministry of regional development (Government Administration, Kosovo) | Site: mzhr.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Dark Storm Team’s campaign against Kosovo continued with a DDoS attack targeting the Ministry of Regional Development. This further illustrates the breadth of their assault on the country’s governmental functions.4 The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514c6afkd61
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/212a50eb-3d43-4078-8d95-8e71ad865d9a.png, https://d34iuop8pidsy8.cloudfront.net/cb0f74cc-89b8-49fe-b2c7-44ec4a472b9d.png

Incident Title: Dark Storm Team targets the website of Mediacom Communications Corporation (DDoS Attack)

Date/Time: 2025-04-18T02:42:15Z

Victim: mediacom communications corporation (Other Industry, USA) | Site: mediacomcable.com

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Concurrent with its campaign against Kosovo, Dark Storm Team also claimed a DDoS attack against Mediacom Communications Corporation, a US cable and internet provider. This aligns with the group’s stated anti-Western stance and previous targeting of critical infrastructure and major corporations in Western nations.4 Targeting a telecommunications provider aims to disrupt services for a large customer base. The claim was made via a separate Telegram channel link, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/c/2640049630/334
  • Proof/Source Link: https://check-host.net/check-report/25144275kccb
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/ee40af87-ba71-402f-81ba-fdd64b3ef399.png

Incident Title: Dark Storm Team targets the website of Ministry of Industry of Kosovo (DDoS Attack)

Date/Time: 2025-04-18T02:41:27Z

Victim: ministry of industry of kosovo (Government Administration, Kosovo) | Site: mint.rks-gov.net

Category: DDoS Attack

Threat Actor: Dark Storm Team

Summary & Context: Dark Storm Team concluded its observed wave of attacks against Kosovo by targeting the Ministry of Industry, Entrepreneurship and Trade. This final attack reinforces the comprehensive nature of their campaign against Kosovo’s governmental and economic administration today.4 The claim was made on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/DarkStormTeam3/337
  • Proof/Source Link: https://check-host.net/check-report/2514c562kc9d
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c4f00028-49e0-4087-8ccf-edac877e7c6b.png, https://d34iuop8pidsy8.cloudfront.net/9ce7a8cf-9ce6-4579-85a8-85324aa21b30.png

Incident Title: Alleged leak of access to Edimax (Initial Access)

Date/Time: 2025-04-18T02:39:33Z

Victim: edimax (Information Technology (IT) Services, Taiwan) | Site: edimax.com

Category: Initial Access

Threat Actor: RuskiNet

Summary & Context: The pro-Russian group RuskiNet claimed on Telegram to have leaked access credentials or methods for Edimax, a Taiwanese networking equipment manufacturer. This claim, distinct from their DDoS activity, suggests potential capabilities beyond simple disruption, possibly involving network intrusion or data exfiltration.11 Leaking access could be intended to enable further attacks by others, serve espionage purposes, or simply cause reputational damage. Targeting a Taiwanese tech company could align with broader geopolitical strategies or economic disruption goals often associated with state-aligned actors.28

Supporting Links:

  • Published URL: https://t.me/c/2577273080/212
  • Proof/Source Link: N/A (Claim made in post)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/8a858f19-82e8-4cd4-a585-e07c93766dd5.png

Incident Title: Anonymous Jordan has developed a website cloning tool (Alert)

Date/Time: 2025-04-18T02:30:55Z

Victim: N/A () | Site: N/A

Category: Alert

Threat Actor: Anonymous Jordan

Summary & Context: Anonymous Jordan announced on their Telegram channel the development of a new tool described as a “website cloning tool.” According to the post, this tool is designed to extract a target website’s underlying scripts and uncover hidden elements such as pages, software components, and administrative panels. While aligning with the Anonymous hacktivist collective’s ethos 15, the development of such a reconnaissance tool indicates potentially evolving TTPs beyond simple DDoS or defacement. This tool facilitates detailed vulnerability discovery and attack planning, potentially enabling more sophisticated intrusions by the group or its affiliates. Publicizing the tool serves to boast capability and share resources within their network.15

Supporting Links:

  • Published URL: https://t.me/AnonymousJordan/180
  • Proof/Source Link: N/A (Announcement)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/be3bdf99-7326-40e7-a7af-4a662ce828b3.png

Incident Title: Keymous+ targets the website of Chalmers University of Technology (DDoS Attack)

Date/Time: 2025-04-18T01:38:22Z

Victim: chalmers university of technology (Education, Sweden) | Site: chalmers.se

Category: DDoS Attack

Threat Actor: Keymous+

Summary & Context: The hacktivist group Keymous+ launched a DDoS attack against Chalmers University of Technology, a prominent Swedish technical university. This attack was part of a series targeting Swedish institutions today. Targeting high-profile educational institutions is a common hacktivist tactic aimed at disruption and gaining visibility.8 The group’s motivations may be linked to Sweden’s geopolitical stance or specific policies, aligning with potential anti-Western sentiments suggested by related intelligence.4 The claim was made on Telegram.

Supporting Links:

  • Published URL: https://t.me/KeymousTeam/1416
  • Proof/Source Link: https://t.me/KeymousTeam/1416 (Proof claimed within post)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/31d4919a-1ceb-4602-948a-f43f03ac8173.png

Incident Title: Keymous+ targets the website of Svenskt Näringsliv (DDoS Attack)

Date/Time: 2025-04-18T01:37:45Z

Victim: svenskt näringsliv (Business and Economic Development, Sweden) | Site: svensktnaringsliv.se

Category: DDoS Attack

Threat Actor: Keymous+

Summary & Context: Keymous+ targeted the Confederation of Swedish Enterprise (Svenskt Näringsliv), a major business advocacy organization in Sweden, with a DDoS attack. Attacking a key representative of the country’s business community aims to disrupt economic discourse and potentially signal opposition to Sweden’s economic policies or international trade relationships.8 This attack further illustrates the group’s broad targeting of influential Swedish institutions today. The claim included a check-host.net link for proof.

Supporting Links:

  • Published URL: https://t.me/KeymousTeam/1416
  • Proof/Source Link: https://check-host.net/check-report/25140ba4k6cb
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/1c0aed08-2d7c-44bb-9918-eb664ce25fe6.png

Incident Title: RuskiNet targets the website of Swiss Banking (DDoS Attack)

Date/Time: 2025-04-18T01:31:39Z

Victim: swiss banking (Government Relations, Switzerland) | Site: swissbanking.ch

Category: DDoS Attack

Threat Actor: RuskiNet

Summary & Context: The pro-Russian group RuskiNet claimed a DDoS attack against the Swiss Bankers Association (Swiss Banking). Targeting the primary association for Switzerland’s financial sector aligns with the pattern of pro-Russian actors attacking financial institutions in Western nations, potentially in response to sanctions or perceived political opposition.11 This disruptive action aims to impact a key sector of the Swiss economy. The claim was made via a private Telegram channel link, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/c/2577273080/214
  • Proof/Source Link: https://check-host.net/check-report/251436b5k87
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c1ce7604-2805-4675-943e-6903a33466ec.png

Incident Title: Keymous+ targets the website of TT News Agency (DDoS Attack)

Date/Time: 2025-04-18T01:08:26Z

Victim: tt news agency (Media Production, Sweden) | Site: tt.se

Category: DDoS Attack

Threat Actor: Keymous+

Summary & Context: Keymous+ continued its campaign against Swedish institutions by targeting the TT News Agency, Sweden’s national wire service. Attacking a primary news source aims to disrupt the flow of information within the country, a common goal for hacktivists seeking to protest media narratives or government communication channels.8 This attack further demonstrates the group’s multi-sector approach to disrupting Swedish society today. The claim included a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/KeymousTeam/1416
  • Proof/Source Link: https://check-host.net/check-report/251400dbkd59
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/3af6619b-e51d-4ba9-982e-84155e04db91.png

Incident Title: Keymous+ targets the website of Swedfund International (DDoS Attack)

Date/Time: 2025-04-18T01:08:22Z

Victim: swedfund international (Financial Services, Sweden) | Site: swedfund.se

Category: DDoS Attack

Threat Actor: Keymous+

Summary & Context: The hacktivist group Keymous+ targeted Swedfund International, Sweden’s state-owned development finance institution, with a DDoS attack. This attack on a government financial entity complements the group’s targeting of other key Swedish institutions (education, business, media) today, suggesting a comprehensive effort to disrupt various aspects of the nation’s infrastructure and international engagement.8 The claim was made on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/KeymousTeam/1416
  • Proof/Source Link: https://check-host.net/check-report/251404e1k3f3
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/51653639-7614-40f8-bc1e-9eb1dad636c0.png

Incident Title: Al Ahad targets the website of Ministry of Youth and Sports of Ukraine. (DDoS Attack)

Date/Time: 2025-04-18T00:37:18Z

Victim: ministry of youth and sports of ukraine. (Government Administration, Ukraine) | Site: mms.gov.ua

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: The hacktivist group Al Ahad launched a DDoS attack against Ukraine’s Ministry of Youth and Sports. This attack was part of a series targeting Ukrainian government ministries today, occurring alongside the group’s campaign against Brazilian entities. Targeting Ukrainian government bodies is a common action for groups opposing Ukraine or supporting its adversaries.1 While Al Ahad’s specific alignment is unclear, the action itself fits the pattern of disruptive hacktivism against state institutions.8 The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/116
  • Proof/Source Link: https://check-host.net/check-report/2513d954ke92
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a16a82a0-3d85-4f52-8d26-ff680965e03e.png

Incident Title: Al Ahad targets the website of Ministry of Social Policy of Ukraine (DDoS Attack)

Date/Time: 2025-04-18T00:37:06Z

Victim: ministry of social policy of ukraine (Political Organization, Ukraine) | Site: msp.gov.ua

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: Al Ahad continued its DDoS campaign against Ukraine by targeting the Ministry of Social Policy. Disrupting social services administration is another way hacktivists attempt to interfere with government functions and impact the public.8 This attack reinforces Al Ahad’s focus on Ukrainian government targets today. The claim was made via Telegram, including a check-host.net proof link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/116
  • Proof/Source Link: https://check-host.net/check-report/2513d74ekc54
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/5fac74fa-93fa-470e-a17d-1f35ba82355f.png

Incident Title: Al Ahad targets the website of Ministry of Agrarian Policy and Food of Ukraine (DDoS Attack)

Date/Time: 2025-04-18T00:37:03Z

Victim: ministry of agrarian policy and food of ukraine (Political Organization, Ukraine) | Site: minagro.gov.ua

Category: DDoS Attack

Threat Actor: Al Ahad

Summary & Context: The hacktivist group Al Ahad targeted Ukraine’s Ministry of Agrarian Policy and Food with a DDoS attack. Attacking the ministry responsible for agriculture and food supply, especially in a country heavily reliant on agricultural exports like Ukraine, can be seen as an attempt to disrupt a critical economic sector and potentially impact food security.8 This concludes the observed series of attacks by Al Ahad against Ukrainian ministries today. The claim was posted on Telegram with a check-host.net link.

Supporting Links:

  • Published URL: https://t.me/qayzerowns/116
  • Proof/Source Link: https://check-host.net/check-report/2513d429kab6
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/eff306c7-f56d-48c2-977e-b4eac481a20a.png

4. Emerging Threats & Capabilities

  • Anonymous Jordan Website Cloning Tool:
  • Description: The hacktivist group Anonymous Jordan announced via Telegram the development of a tool designed for website reconnaissance. According to their claim, the tool can “clone” a website, extracting its underlying scripts and revealing hidden elements such as non-public pages, specific software components in use, administrative login panels, and other potentially sensitive structural information.
  • Analysis & Implications: While Anonymous Jordan operates under the banner of the broader Anonymous movement, typically associated with DDoS attacks and defacements driven by socio-political motives 15, the creation of this specific tool suggests an enhancement or diversification of their technical capabilities. Unlike basic DDoS tools focused purely on overwhelming servers, this cloning tool is geared towards deep reconnaissance. Its functions enable attackers to meticulously map a website’s architecture, identify the technologies used (potentially revealing known vulnerabilities), discover hidden administrative interfaces, and analyze client-side code for weaknesses. This level of information gathering significantly lowers the barrier for planning and executing more sophisticated attacks, such as SQL injection, cross-site scripting (XSS), exploiting vulnerable components, or attempting to brute-force or bypass admin panel logins. The public announcement of this tool on Telegram likely serves multiple purposes: it acts as a demonstration of the group’s technical prowess, potentially attracting new recruits with technical skills; it may serve to share capabilities within the Anonymous Jordan network or wider Anonymous collective; and it can function as a form of intimidation against potential targets. This development reflects a trend where hacktivist groups invest in creating custom tooling to improve the effectiveness and scope of their operations, potentially shifting their impact from purely disruptive to more intrusive or destructive actions.

Analysis of the incidents reported on April 18, 2025, reveals several key trends and patterns in the current threat landscape:

  • Geopolitical Nexus: DDoS campaigns remained strongly correlated with geopolitical events and alignments. The intense targeting of Poland by the pro-Russian NoName057(16) 1, Kosovo by the pro-Palestine/anti-Western Dark Storm Team 3, Sweden by Keymous+ (potentially anti-Western) 4, and Ukraine by Al Ahad underscores the continued use of cyber disruption as a tool in international conflicts and political disputes. The simultaneous campaigns against India (by AnonSec) and Brazil (by Al Ahad) suggest that hacktivist activity is also driven by regional politics or broader global alignments beyond the immediate Russia-Ukraine conflict.
  • Sector Focus: While targets were diverse, several sectors faced concentrated attacks. Government Administration was heavily targeted in India, Brazil, Kosovo, and Ukraine. Financial Services/Banking were hit in Poland, India, and Switzerland. Energy/Utilities were targeted in Poland and Kosovo. Education institutions faced attacks in Brazil, Kosovo, and Sweden. Media organizations were attacked in Poland and Sweden. This focus indicates that threat actors prioritize disrupting essential public services, critical infrastructure operations, financial systems, and institutions influencing public discourse or national development.
  • Dominance of DDoS: DDoS attacks constituted the vast majority of reported incidents, serving as the primary tool for hacktivist groups seeking disruption, visibility, and political expression.1 The frequent use of third-party validation services like check-host.net to provide “proof” of downtime has become a standard operating procedure for these groups, lending credibility to their claims within their communities.10
  • Underground Economy Activity: Parallel to the hacktivist swarm, the cybercriminal underground remained active, focusing on monetization. The offerings on exploit.in by actors “betway” (selling large alleged data breaches from LLA and Y-Axis) and “decider” (selling high-privilege initial access to a Brazilian firm) exemplify this.5 This highlights the robust ecosystem where compromised data and network access are valuable commodities. Initial Access Brokers like “decider” directly enable subsequent attacks, particularly ransomware campaigns, by providing the necessary foothold 6, while data brokers like “betway” supply the raw materials for phishing, fraud, and identity theft.12
  • Telegram as C2/Comms Hub: Telegram continues to be a critical platform for many threat actors, especially hacktivist collectives. It serves as a channel for command and control (coordinating attacks, distributing tools like DDOSIA 1), recruitment, claiming responsibility for attacks, disseminating propaganda and political messages, and even advertising illicit services like DDoS-for-hire.1
  • Coexistence of Motivations: The simultaneous occurrence of widespread, politically motivated DDoS campaigns and targeted, financially motivated data and access sales within a single 24-hour period clearly illustrates the complex and multifaceted nature of the modern threat landscape. Organizations face concurrent threats from actors with vastly different endgames – some seeking disruption and influence, others seeking direct profit. This necessitates a layered defense strategy capable of addressing both types of threats, as measures effective against DDoS may not prevent sophisticated intrusions leading to data theft or ransomware.

6. Mitigation & Recommendations

Based on the observed threats and TTPs from April 18, 2025, organizations should consider the following mitigation strategies:

  • DDoS Defense:
  • Employ comprehensive DDoS mitigation solutions, including cloud-based scrubbing services and potentially on-premise appliances, capable of absorbing large volumes of malicious traffic.
  • Configure network edge devices (firewalls, routers, load balancers) with appropriate rate limiting, filtering rules, and capacity to withstand volumetric attacks.
  • Implement and properly tune Web Application Firewalls (WAFs) to detect and block sophisticated Layer 7 DDoS attacks targeting application resources, a known tactic of groups like NoName057(16) and Dark Storm Team.10 Radware and other vendors provide specialized solutions.13
  • Establish and regularly test incident response playbooks specifically for handling DDoS events, ensuring rapid detection and mitigation activation.
  • Monitor threat intelligence sources, including public Telegram channels used by hacktivist groups, for early warnings of planned DDoS campaigns.2
  • Preventing Initial Access & Data Breaches:
  • Vulnerability Management: Maintain an aggressive patching cadence for all software, especially internet-facing systems like VPN gateways, RDP servers, web applications, and network appliances. Prioritize vulnerabilities known to be actively exploited by IABs and other threat actors.6 Regularly conduct authenticated and unauthenticated vulnerability scanning.28
  • Credential Security: Enforce strong, unique passwords for all accounts and mandate the use of Multi-Factor Authentication (MFA) across the organization, particularly for remote access (VPN, RDP), cloud services, and privileged accounts. Monitor for signs of credential theft, such as LSASS dumping attempts 6, and leverage threat intelligence to detect compromised credentials originating from stealer malware logs.22 Configure systems to prevent storage of clear text passwords in memory 29 and consider restricting legacy authentication protocols like NTLM where possible.29
  • Secure Remote Access: Harden all remote access solutions. Restrict RDP access to only necessary users and source IPs, require MFA, and monitor RDP logs closely for brute-force attempts or anomalous logins.6 Ensure VPNs are fully patched 24 and configured securely, ideally integrating with MFA and Zero Trust principles.24
  • Endpoint Security: Deploy robust Endpoint Detection and Response (EDR) solutions with anti-tampering features, as actors actively attempt to disable them.6 Supplement EDR with User and Entity Behavior Analytics (UEBA) capabilities to detect deviations from normal activity patterns that may indicate malicious TTPs, even when specific signatures are evaded.6
  • Email Security: Utilize advanced email security gateways with sandboxing and anti-phishing capabilities to block malicious attachments and links, a common initial access vector.7 Conduct regular security awareness training focusing on phishing identification and safe browsing habits.2
  • Network Segmentation: Implement network segmentation to limit the blast radius of a potential compromise. Isolate critical assets and create distinct zones (e.g., IT vs. OT 29), controlling traffic flow between them with strict firewall rules to hinder lateral movement.6
  • Responding to Data Leaks:
  • Actively monitor dark web forums, marketplaces, and threat intelligence feeds for chatter related to the organization, potential breaches, or the sale of corporate data.5
  • If a data breach is suspected or confirmed, activate the incident response plan immediately. This should include containing the breach, preserving evidence, engaging external forensic and legal experts, notifying affected parties and regulatory bodies as required, and implementing remediation measures.21
  • General Recommendations:
  • Ensure comprehensive logging is enabled for critical systems, network devices, and security tools, and centralize logs in a SIEM for correlation and analysis.25
  • Develop, maintain, and regularly exercise incident response plans covering various scenarios, including DDoS, data breaches, and ransomware.
  • Participate in information sharing communities (e.g., ISACs) and maintain relationships with national CERTs to receive and share timely threat intelligence.25
  • Continuously educate employees about evolving cyber threats and their role in maintaining security.2

Works cited

  1. NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO | SentinelOne, accessed April 18, 2025, https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
  2. NoName057 Threat Actor Profile – Quorum Cyber, accessed April 18, 2025, https://www.quorumcyber.com/wp-content/uploads/2024/04/TI-NoName057-Threat-Actor-Profile-1.pdf
  3. Hackers Take Credit for X Cyberattack – SecurityWeek, accessed April 18, 2025, https://www.securityweek.com/hackers-take-credit-for-x-cyberattack/
  4. Cyberattack Suspected in Worldwide X Outage – ZeroFox, accessed April 18, 2025, https://www.zerofox.com/intelligence-feed/cyberattack-suspected-in-worldwide-x-outage/
  5. SOUTHERN AFRICA – Threat Landscape Report – SOCRadar, accessed April 18, 2025, https://socradar.io/wp-content/uploads/2024/04/Southern-Africa-Threat-Landscape-Report.pdf
  6. #StopRansomware: Medusa Ransomware | CISA, accessed April 18, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  7. In This Guide – Cybersecurity – LibGuides at University of South Carolina School of Law, accessed April 18, 2025, https://guides.law.sc.edu/cybersecurity/
  8. What are the Types of Cyber Threat Actors? – Sophos, accessed April 18, 2025, https://www.sophos.com/en-us/cybersecurity-explained/threat-actors
  9. Noname057(16) – Wikipedia, accessed April 18, 2025, https://en.wikipedia.org/wiki/Noname057(16)
  10. Dark Storm Team Claims Responsibility for Cyber Attack on X Platform – What It Means for the Future of Digital Security – Check Point Blog, accessed April 18, 2025, https://blog.checkpoint.com/security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/
  11. Peoples Cyber Army Of Russia | Threat Actor Profile – Cyble, accessed April 18, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  12. Data of 500000 Betway gambling customers being allegedly sold on hacker forum, accessed April 18, 2025, https://securityreport.com/data-of-500000-betway-gambling-customers-being-allegedly-sold-on-hacker-forum/
  13. NoName057(16): Pro-Russian Hacktivist Group – Radware, accessed April 18, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
  14. Pro-Russian Hacktivists Targeting Canadian Organizations – Radware, accessed April 18, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/pro-russian-hacktivists-targeting-canadian-organizations/
  15. Anonymous (hacker group) – Wikipedia, accessed April 18, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  16. What Are TTPs? Tactics, Techniques & Procedures – Inside the Mind of a Cyber Attacker, accessed April 18, 2025, https://www.sentinelone.com/blog/inside-the-mind-of-a-cyber-attacker-tactics-techniques-and-procedures-ttps-every-security-practitioner-should-know/
  17. December 16, 2024 Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 18, 2025, https://www.radware.com/getattachment/2a2da1ff-d41e-468a-a263-3b48851ca629/Advisory-Holy-League-Dec-2024.pdf.aspx
  18. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 18, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  19. Human Rights Reports: Custom Report Excerpts – United States Department of State, accessed April 18, 2025, https://www.state.gov/report/custom/f1b9f7721c-3/
  20. FREEDOM OF THE PRESS 2015, accessed April 18, 2025, https://freedomhouse.org/sites/default/files/FOTP%202015%20Full%20Report.pdf
  21. AirIndia Data Breach – Tsaaro Consulting, accessed April 18, 2025, https://tsaaro.com/blogs/airindia-data-breach/
  22. Ben Kapon – content writer at kelacyber, accessed April 18, 2025, https://www.kelacyber.com/academy/editorial/team/ben-kapon-3568003/
  23. Global Logistics & Transportation Industry Threat Landscape Report – SOCRadar, accessed April 18, 2025, https://socradar.io/wp-content/uploads/2025/03/Global-Logistics-Transportation-Industry-Threat-Landscape-Report.pdf
  24. Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations – CISA, accessed April 18, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
  25. Cybersecurity and Information Assurance: News – Subject/Research Guides, accessed April 18, 2025, https://libguides.wilmu.edu/c.php?g=247525&p=1649116
  26. #StopRansomware: RansomHub Ransomware – Defend Edge, accessed April 18, 2025, https://www.defendedge.com/aa24-242a/
  27. Russian Threat Actors Targeting the HPH Sector – HHS.gov, accessed April 18, 2025, https://www.hhs.gov/sites/default/files/russian-threat-actors-targeting-the-hph-sector-tlpclear.pdf
  28. Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure | Cyber.gov.au, accessed April 18, 2025, https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/russian-military-cyber-actors-target-us-and-global-critical-infrastructure
  29. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA, accessed April 18, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a
  30. What Are TTPs and How Understanding Them Can Help Prevent the Next Incident, accessed April 18, 2025, https://www.exabeam.com/explainers/what-are-ttps/what-are-ttps-and-how-understanding-them-can-help-prevent-the-next-incident/

Related Posts