Connect with us

Hi, what are you looking for?



Microsoft Links Prestige Ransomware Attacks to Russian State-Sponsored Hackers

Microsoft has attributed the recently observed Prestige ransomware attacks to a Russian state-sponsored hreat actor tracked as Iridium.

Microsoft has attributed the recently observed Prestige ransomware attacks to a Russian state-sponsored hreat actor tracked as Iridium.

Initially detailed in October, the Prestige ransomware has been used in attacks against transportation and related logistics organizations in Ukraine and Poland, with some of the victims previously infected with the destructive HermeticWiper malware (FoxBlade).

At the time, Microsoft said that the attacks did not appear to be related to known ransomware campaigns, despite the use of development techniques like those used in recent destructive attacks in Ukraine.

On November 10, however, the tech giant updated its initial blog on Prestige with attribution information, saying that the threat actor behind the attacks, initially tracked as DEV-0960, is, in fact, Iridium.

“Iridium is a Russia-based threat actor tracked by Microsoft, publicly overlapping with Sandworm, that has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war. This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity,” Microsoft says.

The tech giant has evidence that, between March and October 2022, Iridium actively compromised multiple organizations that were then infected with Prestige.

“The Prestige campaign may highlight a measured shift in Iridium’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” Microsoft says.

Advertisement. Scroll to continue reading.

The tech giant also warns that Iridium could become a major risk to Eastern European organizations that Russia might view as providing support relating to the war.

Sandworm, which is also tracked as APT28, Fancy Bear, Sednit, Sofacy, and Voodoo Bear, is believed to be part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Previously, the threat actor was blamed for cyberattacks such as BlackEnergy and Industroyer (both targeting Ukraine), and the 2017 NotPetya operation.

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Related: New ‘Prestige’ Ransomware Targets Transportation Industry in Ukraine, Poland

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.