Today the US Treasury imposed sanctions on Russia's Central Scientific Research Institute of Chemistry and Mechanics, the organization that exactly two years ago was revealed to have played a role in the hacking operation that used that malware known as Triton or Trisis, intended to sabotage the Petro Rabigh refinery's safety devices.
The targets include many election-adjacent organizations, according to researchers at Microsoft's Threat Intelligence Center, including political campaigns, advocacy groups, think tanks, political parties, and political consultants serving both Republicans and Democrats.
The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they’ve posted fake content on everything from social media to pro-Russian news websites.
"These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with Covid-19-related research," the joint announcement says.
But today, the global map of zero-day hacking has expanded far beyond the United States, Russia, and China, as more countries than ever buy themselves a spot on it.
Last August, researchers from the threat intelligence firm FireEye uncovered a vast social media influence campaign, conducted by a network of inauthentic news outlets and fake personas with ties to Iran.
In those investigations, FireEye says it's identified a collection of custom malicious software that the Triton hackers used, tools that allowed the hackers to patiently advance their intrusion as they worked to gain access to the victims' industrial control systems.
LockerGoga, which was named for a file path in its source code by security research group MalwareHunterTeam, remains relatively rare and targeted compared to older forms of ransomware like SamSam and Ryuk, says Charles Carmakal, who leads a team of incident responders at FireEye who have dealt with multiple infestations.
It's not uncommon to see them come out with a new variant or a totally new malware family."Palo Alto Networks researchers have only found one sample of the special Cannon-laced malicious document so far, but it was part of a broader APT 28 phishing campaign they observed that focused on government targets in North America, Europe, and a former USSR state that the company declined to name.Meanwhile, investigators at FireEye observed an extensive phishing campaign launched last week that appears to come from APT 29 hackers, also called Cozy Bear.