"Microsoft Attributes 'Prestige' Ransomware Attacks on Ukraine and Poland to Russian Group"
Microsoft officially linked cyberattacks involving the 'Prestige' ransomware to the Russian hacking group named IRIDIUM. According to Microsoft, the ransomware was used in a series of attacks targeting the transportation and logistics sectors in Ukraine and Poland last month. The Microsoft Threat Intelligence Center (MSTIC) believes that IRIDIUM most likely carried out the Prestige ransomware-style attack in November 2022. IRIDIUM is a Russia-based threat actor, publicly overlapping with Sandworm, which has been consistently active in the Ukrainian war and has been linked to destructive attacks since the war's start. According to Microsoft, the attribution was based on several indicators, including the infrastructure used in the attacks and forensic artifacts. The company's security team stated that it discovered evidence that Iridium had compromised multiple Prestige victims dating back to March. Prior to October, the group maintained access, and Microsoft previously stated that the group behind the attacks had already gained a high level of access to targeted networks via unknown means. The campaign, according to Microsoft researchers, may highlight a measured shift in IRIDIUM's destructive attack calculus, indicating increased risk to organizations directly supplying or transporting humanitarian or military aid to Ukraine. Russia has used various wipers and ransomware in its cyberattacks on Ukraine and other countries opposing its invasion. Before deploying the ransomware, the attackers were seen using two Remote Code Execution (RCE) tools: the commercial RemoteExec and the open-source Impacket WMIexec. They used additional tools in some environments to extract credentials or gain additional access. This article continues to discuss Microsoft's attribution of Prestige ransomware attacks to the Russia-based threat actor IRIDIUM.