Pro‑Ukraine Hacktivist Groups BO Team and Head Mare Coordinate Phishing‑Based Attacks on Russian Manufacturing, Telecom and Energy Firms
What Happened — Researchers at Kaspersky observed that the pro‑Ukraine hacktivist group BO Team (aka Black Owl) is now sharing command‑and‑control infrastructure and tooling with the Head Mare group. The collaboration appears to involve a multi‑stage operation: Head Mare delivers initial access via phishing, then BO Team deploys backdoors (BrockenDoor, Remcos, DarkGate) to expand footholds and conduct espionage.
Why It Matters for TPRM —
- Hacktivist activity can spill over to third‑party suppliers, exposing downstream customers to data loss or service interruption.
- Shared infrastructure raises the risk that compromised assets in one vendor’s supply chain may be leveraged to attack another.
- Phishing‑based entry points highlight the need for robust email security and credential hygiene across all partners.
Who Is Affected — Russian organizations in manufacturing, telecommunications, oil & gas, as well as any foreign vendors providing services or software to those sectors.
Recommended Actions —
- Review any contracts or data flows with Russian‑based suppliers for exposure to hacktivist activity.
- Verify that all third‑party vendors enforce MFA, phishing‑resistance training, and endpoint detection.
- Monitor for indicators of compromise (IOCs) associated with BrockenDoor, Remcos, DarkGate, PhantomDL, and PhantomCore.
Technical Notes — Attack vector: targeted phishing emails with malicious documents. Malware families: BrockenDoor, Remcos, DarkGate (BO Team) and PhantomDL, PhantomCore (Head Mare). No specific CVEs disclosed. The operation leverages shared C2 servers on compromised hosts. Source: The Record