Cyber Incident Victim: KP in Ukraine
Date:
Oct 2022
Location:
Ukraine
Summary
A newly identified ransomware variant named Prestige targeted organizations primarily in Ukraine's transportation and logistics sectors, with additional impact in Poland. The attack disrupted operations by encrypting systems, affecting multiple entities simultaneously. Microsoft attributed the activity to a threat actor tracked as IRIDIUM, noting technical overlaps with previous attacks. The incident coincided with missile strikes in Ukraine, suggesting potential coordination between cyber and kinetic military operations. The ransomware deployment displayed tailored tactics for rapid encryption across compromised networks, indicating deliberate disruption rather than financial motivation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2022, a ransomware campaign designated as Prestige emerged, targeting organizations primarily in Ukraine and Poland. Microsoft Threat Intelligence attributed the activity to a threat actor tracked as DEV-0960, noting its initial detection on October 11, 2022. The attacks impacted the transportation and logistics sectors, with victims including organizations managing critical supply chain operations. Attackers employed a multi-stage intrusion strategy beginning with compromised credentials to gain initial access to target networks. Following initial access, adversaries conducted reconnaissance activities to identify high-value systems and deployed tools for lateral movement across compromised environments. The attackers exfiltrated sensitive data prior to deploying ransomware payloads, suggesting a dual extortion tactic. Prestige ransomware exhibited unique characteristics, including the use of intermittent encryption to selectively corrupt files while avoiding detection. The ransomware targeted both Windows and Linux systems, with forensic evidence indicating tailored payloads for different operating environments. Microsoft observed overlaps in tradecraft with previous ransomware operations but assessed Prestige as a distinct variant based on encryption mechanisms and infrastructure patterns.
The incident disrupted operations at multiple logistics companies, causing temporary interruptions to cargo transportation routes in affected regions. Microsoft's detection systems identified anomalous authentication patterns and command-and-control communications, triggering alerts to targeted organizations. Response actions included containment measures to isolate infected systems and prevent further lateral movement. Microsoft shared indicators of compromise (IoCs) with industry partners and law enforcement agencies to enable broader threat hunting. Forensic analysis revealed the attackers leveraged existing administrative tools like PowerShell and PsExec for execution, blending with legitimate network traffic. Data recovery efforts involved restoring systems from backups where available, though some organizations reported partial data loss due to encryption. The ransomware's intermittent encryption approach complicated decryption efforts by leaving some files partially intact but unusable. No ransomware payment demands or negotiation channels were publicly disclosed by the affected entities during initial reporting periods. Cybersecurity authorities in Ukraine and Poland collaborated with private sector responders to analyze attack patterns and attribute the campaign.