Cyber Incident Victim: Russia's Black Sea Fleet
Date:
Feb 2024
Location:
Ukraine
Summary
A Ukrainian state-run company experienced a cyberattack impacting approximately 2,000 computers infected with DIRTYMOE malware, which enables remote access and facilitates distributed denial-of-service attacks. The incident, attributed by Ukrainian authorities to Russian actors amid ongoing conflict, aligns with broader patterns of cyber targeting against critical infrastructure, including prior attacks on energy, agricultural, and telecommunications entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 1, 2024, Ukraine's Computer Emergency Response Team (CERT-UA) disclosed a cyberattack impacting approximately 2,000 computers at an unnamed state-run company. The attack utilized DIRTYMOE malware, also identified as PURPLEFOX, a modular malicious software enabling remote access to infected systems and frequently employed to conduct Distributed Denial-of-Service (DDoS) attacks. CERT-UA confirmed the scale of the compromise through malware sample analysis and examination of the attackers' command-and-control server infrastructure. The incident followed a series of cyber disruptions affecting Ukrainian state entities in January 2024, including Naftogaz (the national oil and gas company) and the Agriculture Ministry, though CERT-UA did not explicitly link these events. Ukrainian authorities routinely attribute such cyber operations to Russian threat actors, particularly following Russia's full-scale invasion in February 2022, though Russian officials historically decline comment on allegations of cyberattacks against Ukraine.
The DIRTYMOE malware's deployment granted attackers persistent access to compromised systems, creating potential for data exfiltration, surveillance, and disruption of critical operations through DDoS capabilities. This incident occurred weeks after Ukraine's largest mobile operator, Kyivstar, suffered a debilitating cyberattack in which hackers exploited a compromised employee account to disable services. While the unnamed state firm's operational disruptions were not quantified, the scale of infection (2,000 systems) suggests significant remediation efforts were required. CERT-UA's public disclosure focused on technical indicators of compromise rather than mitigation measures or recovery timelines. The pattern of attacks against Ukrainian state infrastructure—including energy, telecommunications, and agricultural sectors—aligns with historical targeting priorities of Russian-aligned groups during the ongoing conflict. No data theft or financial motives were cited in this specific incident, with the malware's DDoS functionality indicating potential objectives of service disruption or network degradation.