Notorious Russian military hacking crew behind October ransomware attacks on Ukraine, Poland

Researchers at Microsoft said a ransomware attack on transportation and logistics companies was the work of Russian military intelligence
Huge queues of trucks and cars are seen near the Polish-Ukrainian border on June 30, 2022. (JANEK SKARZYNSKI / AFP)

Researchers at Microsoft said Thursday that an attack on transportation and logistics companies in Ukraine and Poland last month was the work of a notorious Russian military intelligence unit.

The Oct. 11 attack — dubbed “Prestige” — attempted to cripple access to computers across the organizations it targeted. When successful, the attack effectively made it impossible for companies to access their computer systems.

By targeting logistics and transportation companies, the Russian military intelligence hackers responsible for the attack may have been attempting to stymie the flow of goods and materiel into Ukraine, where Russian forces have in recent months suffered a series of military setbacks.

The flow of goods into Ukraine from partner countries have been a key way for Ukraine to get the supplies it needs, and attacking computer infrastructure in Poland — a NATO ally — represents one of the few ways Russia can retaliate against Ukraine’s logistics partners.


The group behind the attacks — tracked by Microsoft’s Threat Intelligence Center (MSTIC) as “Iridium” but known widely as “Sandworm” — is the same group that attempted to take out multiple electricity substations and other parts of a grid serving 2 million people on April 8 in Ukraine.

Microsoft, which worked in collaboration with Ukraine’s Computer Emergency Response Team in investigating the attack, revealed the Prestige ransomware attacks on Oct. 14, noting at the time that the attacks had similar victims to “recent Russian state-aligned activity, specifically on affected geographies and countries,” and have overlapped with previous victims of wiper malware dubbed Hermetic Wiper, which was one of several destructive malware attacks launched on Ukrainian targets in the days immediately following the Russian invasion.

“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” the researchers said Thursday in an update to their blog post from Oct. 14. “More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”

Jean-Ian Boutin, the director of threat research for Slovakian cybersecurity company ESET, said the attribution to the Russian unit was expected.

“Sandworm has been conducting destructive attacks for years now so the idea of them being behind Prestige ransomware is not surprising,” Boutin said. “In 2018, we reported some of their actions leveraging malware such as GreyEnergy against Polish organizations so this is also in line with their past actions.”

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts