UNC5812: Russian Cyber Campaign Targets Android and Windows Users in Espionage and Influence Operation

Security researchers from Google’s Threat Analysis Group and specialists at Mandiant have exposed a sophisticated Russian cyber campaign, identified as UNC5812, targeting both Android and Windows users. Launched in September 2024, this operation blends espionage and influence tactics under the guise of a "Civil Defense" persona on Telegram, used to spread malware via a Telegram channel and a related website. Posing as a free software provider, the malware appears as a mapping tool for locating military recruiters in Ukraine.

UNC5812’s influence arm leverages Ukrainian-language Telegram channels to spread anti-Ukraine mobilisation narratives. These promoted posts aim to erode public support within Ukraine by inserting pro-Russian sentiment in legitimate news feeds. Google’s Threat Analysis Group confirms the operation is ongoing, with Ukrainian-language channels promoting posts as recently as 8 October. Researchers believe UNC5812 is actively expanding its reach to new communities, potentially prolonging this disinformation campaign.

Peru’s Interbank confirms data breach as hacker leaks sensitive customer information online

Interbank, one of Peru's foremost banks, has confirmed a data breach following an attack by a threat actor who leaked customer data online. Interbank, formerly known as Banco Internacional del Perú, serves over 2 million customers.

“We have identified that some data of a group of clients has been exposed by a third party without our authorisation,” Interbank stated, adding that they have implemented additional security measures to protect customer information. Despite intermittent downtime on the bank’s app and online platforms, Interbank assures customers that most services are back online and deposits are secure.

The breach, shows threat actor “kzoldyck” selling stolen data, including customers’ names, account details, credit card information, and plaintext credentials on hacking forums. The attacker claims the data spans over 3 million accounts and includes sensitive internal credentials. Although the bank reportedly engaged in negotiations, they ultimately refused to meet the extortion demand.

Canada's CSE reveals Chinese and Indian state-backed cyber attacks targeting government and private sectors

Canada’s Communications Security Establishment (CSE) has reported ongoing cyber operations targeting Canadian government networks by state-backed actors, notably from the People's Republic of China (PRC). Over five years, these cyber incursions have aimed at gathering political and commercial intelligence to serve China’s strategic interests, including espionage, intellectual property theft, and transnational repression.

The CSE’s National Cyber Threat Assessment reveals that PRC actors compromised at least 20 Canadian government networks, focusing on officials critical of the Chinese Communist Party (CCP). One operation targeted the Interparliamentary Alliance on China. Canada’s private sector has also been affected, with state actors allegedly targeting industries developing cutting-edge technology, including 6G, quantum computing, and Web 3.0.

The report additionally cites India as a rising cyber threat, linked to diplomatic tensions following accusations of Indian involvement in the death of Sikh activist Hardeep Singh Nijjar in Canada. Indian-aligned hacktivists subsequently targeted Canadian military and parliament networks.

Dutch Police dismantle Redline and Meta Malware networks in major international cybercrime crackdown

The Dutch National Police have dismantled the network infrastructure behind the Redline and Meta infostealer malware in "Operation Magnus," a coordinated effort with the FBI and international law enforcement. Redline and Meta, both notorious infostealers, harvest sensitive information from browsers, such as login credentials, authentication cookies, cryptocurrency wallets, and browsing history, which cybercriminals later sell or use to execute data breaches, ransomware attacks, and cyberespionage.

Announced on a dedicated website, Operation Magnus warns that seized data may lead to arrests. The authorities now hold detailed information, including account credentials, IP addresses, and other critical data. Law enforcement also accessed the source code, including the license servers, API services, and Telegram bots associated with both malware strains.

Dutch police have begun notifying cybercriminals via forum posts, reminding them they are being monitored. Further updates and potential arrest information are expected shortly, signalling a significant setback for the cybercrime community.

Italy's National Security database breach exposes data of 800,000, including top officials

A data breach of Italy's national security database has exposed sensitive information of 800,000 individuals, including high-profile figures like President Sergio Mattarella and former Prime Minister Matteo Renzi, as reported by The Cyber Express. Milan-based investigations firm Equalize, led by ex-police official Carmine Gallo, is accused of orchestrating the hack from 2019 to March 2024. Prosecutors allege that Gallo, along with co-conspirators Nunzio Samuele Calamucci, Massimiliano Camponovo, and Giulio Cornelli, facilitated the breach using bribed police officers, remote access trojans, and unauthorised access via Interior Ministry maintenance staff.

Authorities are also investigating potential links to Luxottica heir Leonardo Maria Del Vecchio and former Lehman Brothers banker Matteo Arpe. The incident has triggered extensive task force deployments and prompted Italian lawmakers to call for a comprehensive review of the Interior Ministry’s cybersecurity protocols in response to the breach’s far-reaching implications.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.