Ukraine Hacks Russian Warplane Maker

Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Also, Crypter Takedown, Threat Intel Naming Accord and Regulators Ping CrowdStrike

Anviksha More (AnvikshaMore) •
June 5, 2025    

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Ukraine hacked a Russian warplane maker, Russia is hacking strategically in Ukraine, crypter sites seized and U.S. federal prosecutors moved to seize laundered North Korean IT worker salaries. Regulators probed CrowdStrike over its July 2024 outage, and Microsoft and CrowdStrike carved a Rosetta Stone for threat groups. A Romanian national pleaded guilty in U.S. federal court to a swatting spree, the Lee Enterprises hack exposed personal data and an FBI ransomware vet joined the private sector.

See Also: Gartner Guide for Digital Forensics and Incident Response

Ukraine’s military intelligence agency reportedly hacked Russian aerospace giant United Aircraft Corporation, gaining access to internal documentation and design plans related to strategic bombers used in Moscow’s invasion of its European neighbor.

Interfax-Ukraine and the Kyiv Post each reported this week that the cyber unit of Ukraine’s Military Intelligence stole 4.4 gigabytes from UAC’s Tupolev division.

“The value of the data obtained is hard to overstate. There is now virtually nothing secret left in Tupolev’s operations as far as Ukrainian intelligence is concerned,” a source attributed to the Ukrainian intelligence community told the Kyiv Post. “The result will obviously be noticeable both on the ground and in the sky.”

Stolen data includes purchasing data, minutes of closed meetings, personal data of Tupolev staff and the resume of engineers and designers, Interfax reported. Military hackers also reportedly defaced the Tupolev website by adding an image of an owl clasping an airplane in its claws.

Intelligence sources told the news outlets that the exfiltration was a capstone to an extended period of penetration into the Tupolev network, during which military hackers gathered additional telemetry for use in future attacks against Russian defense contractors.

News of the hack came days after Ukrainian President Volodymir Zelenskyy announced an operation that used explosive drones launched from trucks transported deep into Russia to destroy Russian bombers. The Security Service of Ukraine claimed to have hit a third of strategic cruise missile carriers located at four main Russian military airfields.

Russian nation-state groups are increasingly adopting a strategic approach to cyber operations, focusing on integrating real-world sabotage with cyberattacks, said Paul Chichester, director of operations at the UK’s National Cyber Security Centre.

Speaking Tuesday at the Infosecurity Europe 2025 conference, Chichester said Russian hackers have become more deliberate, aligning their cyber activities with military objectives. “They have limited resources, and they focus on what they do in a very targeted way,” he noted.

A recent example is Unit 26165 of Russia’s Main Intelligence Directorate, which launched cyber campaigns targeting internet-connected cameras at Ukrainian logistics and military facilities (see: Russian Intelligence Hackers Stalk Western Logistics Firms).

The same week as Chichester spoke, researchers at Cisco Talos disclosed they observed a destructive attack on a Ukrainian critical infrastructure organization that used a previously unknown wiper malware. Researchers dubbed the malware “PathWiper.”

The U.S., Dutch and French law enforcement announced on Friday the seizure of four malware crypting websites – AVCheck.net, Crypt.guru, Cryptor.live and Cryptor.biz. Crypting changes malware’s signature without altering its functionality. The seizures were part of Operation Endgame, a global campaign targeting cybercriminal networks (see: Initial Access Brokers Targeted in Operation Endgame 2.0).

Warrants filed in Houston federal court show that three of the sites connected to a single proxy server in the Netherlands searched by the FBI in December. The fourth site, AVCheck, was hosted by a separate server located in Helsinki – although it still may be part of the same criminal conspiracy.

Federal prosecutors filed seizure warrants for the crypter sites with three domain registries: VeriSign, Spaceship and Identity Digital.

The platforms have been used for more than a decade by hackers to test and perfect malware against antivirus and security tools. The websites were linked to ransomware groups like Ryuk, according to court documents filed in Texas which also say the FBI is investigating the operation. Investigators conducted undercover purchases and confirmed their role in helping cybercriminals obfuscate malware.

Dutch officials called AVCheck one of the largest international counter-antivirus services, essential for deploying effective malware.

U.S. federal prosecutors moved to formally seize $7.74 million worth of cryptocurrency aggregated by two North Korean functionaries, Sim Hyon Sop and Kim Sang Man.

North Korea since at least 2020 has deployed covert IT workers as freelance or contract employees for Western tech firms as part of its effort to funnel hard currency into Pyongyang (see: North Korea’s Hidden IT Workforce Exposed in New Report).

In a complaint before the U.S. District for the District of Columbia, prosecutors said the moment has come to formally seize digital assets frozen in 2022 and 2023 as part of an FBI investigation into the money trail connecting salaries paid out to North Korean IT workers and the Pyongyang regime. Prosecutors indicted Sim in 2023 (see: US Indicts Chinese National for Laundering DPRK Crypto).

The Thursday complaint depicts Kim, CEO of front company “Chinyong,” also known as “Jinyong IT Cooperation Company,” as an intermediary for Sim, an official employed by North Korea’s Foreign Trade Bank. Blockchain tracing showed that Sim’s cryptowallet received nearly $24 million between August 2021 and March 6, 2023, primarily from Binance accounts held by Kim. At the time, Kim was resident of Vladivostok, Russia, and established Binance accounts using two sets of Russian identity documents, prosecutors said.

Chinyong is subordinate to North Korea’s Ministry of Defense. The U.S. Department of Treasury sanctioned the company in May 2023.

Prosecutors told the court that North Korean IT workers prefer to be paid in stablecoins, as opposed to other forms of cryptocurrency. “Stablecoins retain a consistent value, as opposed to other virtual currencies which fluctuate in price on a daily basis,” they said. Stablecoins are also easier to convert into fiat currency.

Regulators have requested information from CrowdStrike regarding its massive July 2024 outage and the company’s recognition and reporting of revenue for transactions with certain customers.

The Austin, Texas,-based platform security behemoth said it is cooperating and providing information in response to requests from the U.S. Department of Justice and Securities and Exchange Commission. The requests were disclosed by CrowdStrike Chief Financial Officer Burt Podbere during the company’s earnings call late Tuesday as well as in CrowdStrike’s quarterly report with the SEC filed Wednesday.

Bloomberg reported regulators are probing a $32 million deal between CrowdStrike and technology reseller Carahsoft to supply cybersecurity software to the IRS. CrowdStrike has previously said Carahsoft made on-time-payments for the order, but the IRS never purchased or received the products. It remains unclear why the companies struck the deal without an IRS purchase.

CrowdStrike didn’t disclose what specifically regulators are probing around its faulty July 19 software update, which disrupted 8.5 million systems, led to longer sales cycles, and resulted in $60 million of expenses between July 2024 and January 2025. A Georgia judge ruled last month that Delta can proceed with most of its suit against CrowdStrike regarding the faulty update that crippled the airline for days (see: Judge Lets Delta Lawsuit Over CrowdStrike Outage Proceed).

The company’s stock is down $26.09 – or 5.3% – to $462.67 per share since earnings were announced.

Each threat intel company has their own naming nomenclature for threat groups. Russian nation-state threat actors tagged as “Blizzard” by Microsoft get named as variations of “Bear” by CrowdStrike. Eset might call the same Russian group the “Tsar Team” while Mandiant prefers bland “APT” plus number designations.

Will they cut it out and use a unified nomenclature system? Ha, no. But CrowdStrike and Microsoft said Monday they will collaborate to match threat group designations. CrowdStrike likened the effort to creating a Rosetta Stone for hacking groups. A Microsoft spokesperson said Google/Mandiant and Palo Alto Networks Unit 42 “will also be contributing to this effort.”

Asked why the alignment effort can’t just result in unified naming conventions, Microsoft responded that “imposing a single standard on the industry would be technologically challenging and may affect intelligence.”

It is true that threat intel companies can disagree on whether activity is properly categorized as part of an existing group or distinct activity – as in Eset’s belief that the group it tracks as FamousSparrow is not the same as Microsoft’s Salt Typhoon (see: Breach Roundup: FamousSparrow Is Back).

A Romanian national pleaded guilty in U.S. federal court to leading a years-long online swatting conspiracy that targeted more than 75 public officials, four religious institutions and multiple journalists across the U.S. Thomasz Szabo, 26, and co-conspirators made false emergency reports to provoke armed police responses, including by making bomb threats and calling in false reports of violent situations at households.

According to court documents, Szabo orchestrated threats including a 2020 mass shooting threat against New York City synagogues and a threat in January 2021 to detonate explosives at the U.S. Capitol and kill then-President elect Joe Biden. A spree by his group from December 2023 to January 2024 targeted members of Congress, senior government and law enforcement officials, judges, state officials, religious sites and media members.

Authorities say the attacks caused over $500,000 in taxpayer costs in just two days. Romania extradited Szabo in November 2024. He faces up to 15 years in prison. Sentencing is set for Oct. 23.

U.S. newspaper publisher Lee Enterprises alerted nearly 40,000 individuals that a ransomware attack in February exposed their personal data. The company, which publishes 77 daily newspapers and hundreds of other titles across 26 states, said attackers accessed documents containing names and Social Security numbers on Feb. 3.

The breach caused widespread network outages, disrupting printing, delivery and internal operations, including VPN and cloud access issues. Lee Enterprises later confirmed the incident involved ransomware that encrypted critical systems and exfiltrated files.

Cynthia Kaiser, a 20-year FBI veteran who led cyber policy and ransomware takedowns, is joining Halcyon to head its Ransomware Research Center. She’ll focus on threat intelligence and partnerships aimed at disrupting ransomware actors.

Kaiser’s departure comes amid a wave of federal cyber exits and proposed FBI budget cuts totaling $560 million and nearly 1,900 staff. In a statement announcing her transition to the private sector, she called ransomware “big business” driven by increasingly aggressive and sophisticated criminal networks, while describing “an entire ecosystem of sophisticated, motivated, unscrupulous actors who are becoming increasingly aggressive and continually deploying more advanced tools.”

Other Stories From Last Week

With reporting from Information Security Media Group’s Akshaya Asokan in southern England, Chris Riotta in Washington, D.C. Michael Novinson in Massachusetts and David Perera in Northern Virginia.