                           %%%%%#########%%%%%                              
                    ###%%%%##                 &%%%                          
               (#####%%          /.. .,,,,&      .%%                        
           //((###            . ...**//((... ,     %%                       
       ***//((               (..***//((...*#,,,     %%                      
   *******                  #(#./((((#......,%#(     %                      
    *****                   @%##....#%%%%%,,%#((     %                      
      ****//                 %%%%,,%%%%%%%**/((     #                       
         *//((#*               %%,%%%%%##((((      %                        
            ((####%               ,((((((/                                  
               #####%%#,                                         **         
                   ##%%%#####                              //**             
                        %%%%#########%.          ######((/                  
                               %%%%%#%%%%%%%%%#####                         
                               
                              by Curated Intelligence

Ukraine-Cyber-Operations

Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. (Blog | Twitter | LinkedIn)

Analyst Comments:

2022-02-25
- Creation of the initial repository to help organisations in Ukraine
2022-02-26
- Additional resources, chronologically ordered (h/t Orange-CD), plus a section on vetted OSINT sources and Miscellaneous resources
2022-02-27
- Additional threat reports have been added

`Threat Reports`

Date	Source	Threat(s)	URL
14 JAN	SSU Ukraine	Website Defacements	ssu.gov.ua
15 JAN	Microsoft	WhisperGate wiper	microsoft.com
22 JAN	RaidForums	Data broker "vlakyla" offering Ukrainian citizens' PII (name, phone, email)	RaidForums [not linked]
23 JAN	RaidForums	Data broker "Mont4na" offering UkrFerry	RaidForums [not linked]
23 JAN	RaidForums	Data broker "Mont4na" offering PrivatBank	RaidForums [not linked]
24 JAN	RaidForums	Data broker "Mont4na" offering DTEK	RaidForums [not linked]
27 JAN	RaidForums	Data broker "an3key" offering Ministry for Communities and Territories Development of Ukraine	RaidForums [not linked]
31 JAN	Symantec	Gamaredon/Shuckworm/PrimitiveBear (FSB)	symantec-enterprise-blogs.security.com
2 FEB	RaidForums	Access broker "GodLevel" offering Ukrainain algricultural exchange	RaidForums [not linked]
2 FEB	CERT-UA	UAC-0056 using SaintBot and OutSteel malware	cert.gov.ua
3 FEB	PAN Unit42	Gamaredon/Shuckworm/PrimitiveBear (FSB)	unit42.paloaltonetworks.com
4 FEB	Microsoft	Gamaredon/Shuckworm/PrimitiveBear (FSB)	microsoft.com
8 FEB	NSFOCUS	Lorec53	nsfocusglobal.com
15 FEB	CERT-UA	DDoS attacks against the name server of government websites as well as Oschadbank (State Savings Bank) & Privatbank (largest commercial bank). False SMS and e-mails to create panic	cert.gov.ua
23 FEB	The Daily Beast	Ukrainian troops receive threatening SMS messages	thedailybeast.com
23 FEB	UK NCSC	Sandworm/VoodooBear (GRU)	ncsc.gov.uk
23 FEB	SentinelLabs	HermeticWiper	sentinelone.com
24 FEB	ESET	HermeticWiper	welivesecurity.com
24 FEB	Symantec	HermeticWiper	symantec-enterprise-blogs.security.com
24 FEB	Cisco Talos	HermeticWiper	blog.talosintelligence.com
24 FEB	Zscaler	HermeticWiper	zscaler.com
24 FEB	CronUp	Data broker "FreeCvilian" offering multiple .gov.ua	twitter.com/1ZRR4H
24 FEB	RaidForums	Data broker "Featherine" offering diia.gov.ua	RaidForums [not linked]
24 FEB	DomainTools	Unknown scammers	twitter.com/SecuritySnacks
25 FEB	@500mk500	Gamaredon/Shuckworm/PrimitiveBear (FSB)	twitter.com/500mk500
25 FEB	@500mk500	Gamaredon/Shuckworm/PrimitiveBear (FSB)	twitter.com/500mk500
25 FEB	Microsoft	HermeticWiper	gist.github.com
25 FEB	360 NetLab	DDoS (Mirai, Gafgyt, IRCbot, Ripprbot, Moobot)	blog.netlab.360.com
25 FEB	Conti [themselves]	Conti ransomware, BazarLoader	Conti News .onion [not linked]
25 FEB	CoomingProject [themselves]	Data Hostage Group	CoomingProject Telegram [not linked]
25 FEB	CERT-UA	UNC1151/Ghostwriter (Belarus MoD)	CERT-UA Facebook
25 FEB	Sekoia	UNC1151/Ghostwriter (Belarus MoD)	twitter.com/sekoia_io
25 FEB	@jaimeblascob	UNC1151/Ghostwriter (Belarus MoD)	twitter.com/jaimeblasco
25 FEB	RISKIQ	UNC1151/Ghostwriter (Belarus MoD)	community.riskiq.com
25 FEB	MalwareHunterTeam	Unknown phishing	twitter.com/malwrhunterteam
25 FEB	ESET	Unknown scammers	twitter.com/ESETresearch
25 FEB	BitDefender	Unknown scammers	blog.bitdefender.com
25 FEB	SSSCIP Ukraine	Unkown phishing	twitter.com/dsszzi
25 FEB	RaidForums	Data broker "NetSec" offering FSB (likely SMTP accounts)	RaidForums [not linked]
25 FEB	Zscaler	PartyTicket decoy ransomware	zscaler.com
25 FEB	INCERT GIE	Cyclops Blink, HermeticWiper	linkedin.com [Login Required]
25 FEB	Proofpoint	UNC1151/Ghostwriter (Belarus MoD)	twitter.com/threatinsight
26 FEB	BBC Journalist	A fake Telegram account claiming to be President Zelensky is posting dubious messages	twitter.com/shayan86
26 FEB	CERT-UA	UNC1151/Ghostwriter (Belarus MoD)	CERT_UA Facebook
26 FEB	MHT and TRMLabs	Unknown scammers, linked to ransomware	twitter.com/joes_mcgill
26 FEB	US CISA	WhisperGate wiper, HermeticWiper	cisa.gov
26 FEB	Bloomberg	Destructive malware (possibly HermeticWiper) deployed at Ukrainian Ministry of Internal Affairs & data stolen from Ukrainian telecommunications networks	bloomberg.com
26 FEB	Vice Prime Minister of Ukraine	IT ARMY of Ukraine created to crowdsource offensive operations against Russian infrastructure	twitter.com/FedorovMykhailo
26 FEB	Yoroi	HermeticWiper	yoroi.company

`Vendor Support`

Vendor	Offering	URL
Dragos	Access to Dragos service if from US/UK/ANZ and in need of ICS cybersecurity support	twitter.com/RobertMLee
GreyNoise	Any and all `Ukrainian` emails registered to GreyNoise have been upgraded to VIP which includes full, uncapped enterprise access to all GreyNoise products	twitter.com/Andrew___Morris
Recorded Future	Providing free intelligence-driven insights, perspectives, and mitigation strategies as the situation in Ukraine evolves	recordedfuture.com
Flashpoint	Free Access to Flashpoint’s Latest Threat Intel on Ukraine	go.flashpoint-intel.com
ThreatABLE	A Ukraine tag for free threat intelligence feed that's more highly curated to cyber	twitter.com/threatable
Orange	IOCs related to Russia-Ukraine 2022 conflict extracted from our Datalake Threat Intelligence platform.	github.com/Orange-Cyberdefense
FSecure	F-Secure FREEDOME VPN is now available for free in all of Ukraine	twitter.com/FSecure
Multiple vendors	List of vendors offering their services to Ukraine for free, put together by @chrisculling	docs.google.com/spreadsheets
Mandiant	Free threat intelligence, webinar and guidance for defensive measures relevant to the situation in Ukraine.	mandiant.com
Starlink	Satellite internet constellation operated by SpaceX providing satellite Internet access coverage to Ukraine	twitter.com/elonmus

`Vetted OSINT Sources`

Handle	Affiliation
@KyivIndependent	English-language journalism in Ukraine
@IAPonomarenko	Defense reporter with The Kyiv Independent
@KyivPost	English-language journalism in Ukraine
@Shayan86	BBC World News Disinformation journalist
@Liveuamap	Live Universal Awareness Map (“Liveuamap”) independent global news and information site
@DAlperovitch	The Alperovitch Institute for Cybersecurity Studies, Founder & Former CTO of CrowdStrike
@COUPSURE	OSINT investigator for Centre for Information Resilience
@netblocks	London-based Internet's Observatory

`Miscellaneous Resources`

Source	URL	Content
PowerOutages.com	https://poweroutage.com/ua	Tracking PowerOutages across Ukraine
Monash IP Observatory	https://twitter.com/IP_Observatory	Tracking IP address outages across Ukraine

IDSdarg / Ukraine-Cyber-Operations