Back Spain, the third most attacked country by pro-Russian hacktivist groups

2024 / 11 / 28
2024ko hirugarren hiruhilekoan areagotu egin dira zibergaizkileek Espainiaren aurka egindako erasoak, eta herrialde hori da munduko hacktibismoak gehien kaltetu duen hirugarrena. Hacker sare bateko kideak atxilotzeak eta ondoren Errusiaren aldeko 70 hacktibistek Liga Santua (Holy League) izenekoa sortu izanak konpromiso handian jarri dute Espainiako zibersegurtasunaren bermea, ZIURen azken Ziberinteligentzia Txostenaren arabera.

Spain, the third most attacked country by pro-Russian hacktivist groups

ZIUR identifies in its Cyber ​​Intelligence Report 93,103 computers exposed to the Internet in the Basque Country

Cybercriminal attacks targeting Spain have increased throughout the third quarter of 2024, making the country the third most affected by hacktivism in the world. The arrest of members of a hacker network and the subsequent creation of the ‘Holy League’ by 70 pro-Russian hacktivists have seriously compromised cybersecurity in Spain, according to the latest Cyber ​​Intelligence Report from ZIUR, the Gipuzkoa Industrial Cybersecurity Centre belonging to the Provincial Council.

Spain has thus suffered an “unprecedented” impact due to a combination of denial of service attacks from pro-Russian groups and the disclosure on clandestine forums of potentially stolen confidential information from various organisations. This document reveals that the most affected sectors in Spain have been government, maritime and financial, a fact that is also repeated throughout Europe. The main actors that have carried out attacks against Spanish infrastructures are ‘NoName057(16), a pro-Russian hacktivist group that acts mainly motivated by its political ideology, and ‘CyberArmyofRussia’, which coordinates with the first group to carry out more powerful attacks and cause greater impact.

The ZIUR Cyber ​​Intelligence Report also shows that a total of 31 alleged data leaks regarding Spanish organizations and institutions have been detected in clandestine forums and Telegram channels throughout the third quarter, with public administration, education and technology being the most affected sectors. “For several months, these cybercriminals have shown a marked preference for attacking targets in Spain and, between them, they comprise more than 30% of the leaks detected. This suggests the possible existence of a connection between the cybercriminals, which could indicate that they are part of a coordinated organization that has been carrying out a campaign specifically directed against Spain for some time,” the ZIUR document states. In contrast, during the third quarter of the year, no posts have been detected in forums or Telegram channels referring to companies belonging to the state industrial sector.

Main ransomware and vulnerabilities

Regarding ransomware, Ransomhub has become the group with the greatest impact in the world. However, in Spain, the appearance of Madiliberator stands out, a group that has recently appeared and has become the most active actor. Despite this, Ransomhub has been the actor that has carried out the most attacks against the Spanish industrial sector.

Finally, a negative trend has been detected in terms of the publication of vulnerabilities, but the increase in the percentage of critical vulnerabilities published during this period stands out. Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) has reported a total of 271 vulnerabilities in this quarter, affecting the main software manufacturers focused on operating systems.

Exposed surface in the Basque Country

Using massive network scanning tools, 93,103 computers exposed to the Internet have been identified in the Basque Country, as highlighted in this report, which states that the main vulnerability identified, known as 'Freak', allows an attacker to decrypt secure communications between vulnerable clients and servers.

As for campaigns, one has been detected by a Chinese group against transport, logistics, technology and automotive sectors in Spain, the United Kingdom, Italy, Turkey, Taiwan and Thailand and another phishing campaign against the mining and manufacturing sectors, both historically relevant in the Basque Country.