Cyber Incident Victim: Russia's Black Sea Fleet
Date:
Oct 2022
Location:
Ukraine
Summary
A ransomware campaign employing the newly identified Prestige malware targeted logistics and transportation companies in Ukraine and Poland, disrupting operations through simultaneous data destruction and system encryption. Attackers utilized compromised credentials to deploy the ransomware across victim networks, causing significant service interruptions. Microsoft attributed this activity to Iridium, a Russian state-sponsored threat group historically linked to the country's military intelligence, noting its focus on critical supply chain infrastructure coincided with geopolitical tensions. The incident marked a rare instance of ransomware being deployed by nation-state actors, blending disruptive cyber operations with destructive objectives against strategic sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 11, 2022, a newly identified ransomware variant dubbed "Prestige" targeted organizations in Ukraine and Poland, primarily within the transportation and logistics sectors. Microsoft's security researchers observed initial attack activity as early as October 8, with the ransomware payloads deployed three days later. The campaign employed a two-stage compromise strategy, first breaching targeted IT environments before shifting focus to operational technology (OT) assets critical for supply chain operations. Attackers utilized living-off-the-land binaries (LOLBins) including Impacket and RemCom for lateral movement across networks, alongside credential theft tools like Mimikatz. A distinctive tactic involved creating new local administrator accounts named "dbadmin" across compromised systems to maintain persistence. The ransomware encrypted files using extensions such as .encryptedBrand and .encryptedRush, while dropping ransom notes titled HOW_TO_RECOVER.txt. Forensic analysis revealed the attacks coincided with missile strikes against Ukrainian infrastructure, suggesting potential coordination with kinetic military operations.
The incident disrupted critical supply chains, particularly impacting fuel transportation systems across both countries. Microsoft attributed the campaign to the threat actor IRIDIUM, a group historically associated with Russia's military intelligence apparatus. The attackers demonstrated precise geographic focus, with 89% of impacted systems located in Ukraine and the remaining 11% in Poland. Microsoft Defender Threat Intelligence team detected the novel ransomware behavior through telemetry analysis and promptly notified affected organizations. Response efforts included containment measures to isolate infected systems and prevent further lateral movement. The ransomware's deliberate targeting of logistics infrastructure exacerbated wartime commodity shortages, particularly affecting diesel fuel distribution channels. Security teams worked to remove unauthorized "dbadmin" accounts and restore encrypted operational data from backups where available. The incident represented the first identified ransomware campaign directly linked to the Russo-Ukrainian conflict that simultaneously affected organizations in multiple countries.