Firmware Intrusion & Espionage: Dual Waves by Islamist Hacktivists and APT28 Targeting Global Logistics Networks

Summary of the Attack:

On July 20, 2025, security researchers uncovered a coordinated two-pronged cyber campaign. One wave was attributed to pro-Islamist hacktivist collectives—Cyber Jihad Movement (CJM), Muslim Cyber Hacktivity (MCH), Anonymous Muslim Unity (AMU), and the Allied Muslim Hacktivist Coalition (AMHC)—launching public, disruptive operations. Simultaneously, the sophisticated nation-state actor APT28 (Fancy Bear) carried out stealthy espionage targeting logistics companies across NATO allied states. Though seemingly separate, forensic clues suggest both waves exploited similar router and SaaS access vulnerabilities.

 

Artifacts Discovered:

  • Modified router firmware packages—bearing Islamic slogans and subtle malicious payloads within the bootloader region (CJM wave).
  • SNMP logs showing exploitation of CVE-2017-6742 in Cisco devices and compromised Ubiquiti EdgeRouters (APT28 wave).
  • Email mailbox permission alterations (e.g., Exchange and Microsoft 365) enabling stealthy access to SaaS-based accounts.
  • Traffic sensor camera feeds and leaked FTP/TFTP logs indicating reconnaissance of physical transport routes.
  • Custom malware implants targeting both content disruption (defacement scripts, jingle playback) and espionage (XAgent-like RATs, credential collection trojans).

 

Key Highlights:

  • The CJM-related firmware injection mimicked legitimate device updates but triggered defacement messages and network outages.
  • APT28 leveraged known vulnerabilities (CVE-2017-6742, weak SNMP strings) and stealthily accessed logistics data.
  • Both groups appear to have overlapped operationally—possibly opportunistic rather than collaborative.

 

A. Cyber-Jihad Movement & Allied Muslim Hacktivists

  • Motivations: Ideological disruption and propaganda, targeting Western infrastructure to promote their narrative.
  • Tactics: Supply-chain firmware hijacking, public defacement, ransomware-lite messaging.
  • Tools: Modified firmware binaries, shell scripts triggering defacing overlays, hash collision using truncated SHA-256 tokens.

 

B. APT28 (Fancy Bear)

  • Motivations: Stealthy espionage targeting logistics networks to monitor aid flows to Ukraine and NATO operations.
  • Tactics & Techniques: Exploitation of SNMP and known Cisco/EdgeRouter flaws, mailbox permission manipulation, credential harvesting, physical surveillance via hijacked cameras. References: Cisco exploit via CVE-2017-6742; use of EdgeRouters for traffic proxy and NTLM credential capture; broader logistics espionage campaign reported in May 2025.

 

Overlap & Possible Connection:

While CJM’s actions appear overt and ideological, APT28’s covert espionage opportunistically piggybacked on the compromised infrastructure possibly reusing already-infected routers or defaced devices to conduct deeper intelligence gathering.

 

Recommendations for Organizations

For Logistics & Critical Infrastructure Firms:

  1. Patch and update all network equipment (routers, firmware, SNMP configurations). Use strong community strings and limit SNMP access.
  2. Monitor SaaS mailboxes for abnormal permission changes or post-auth access anomalies .
  3. Deploy behavioral analytics, especially UBA/EDR tools, to detect post-auth intrusion patterns .
  4. Verify firmware integrity, using full-length hashes and secure update mechanisms (prevent hash collision attacks).
  5. Audit physical surveillance systems, ensure cameras and sensors aren’t co-opted for reconnaissance.
  6. Train employees on spear-phishing and social engineering risks.

 

Indicators of Compromise (IOCs)

Below are sample IOCs associated with the dual campaign. These should be adapted into your SIEM, IDS/IPS, and mailbox monitoring tools.

 

1. Malicious Firmware Artifacts

  • Tampered firmware images discovered on compromised routers:
    • SHA256:
      • 9f3b8c2d8f1e7a44b02134ff7e98bb7c6c4c9f2a6e1b5d9a02f3df9a1129e6d7
      • 6c2b9d991ed9fbe37aaefb23d1a94c87c820ae6c4b912fa61f0f43e28c99ab03
  • Presence of bootloader banners containing phrases like:
    • "Cyber Jihad Was Here"
    • "Allied Muslim Hacktivist Coalition Victory"

 

2. Exploited Vulnerabilities

  • CVE-2017-6742 (Cisco SNMP Remote Code Execution)
  • Default or weak SNMP strings:
    • public
    • private
    • cisco123

 

3. Router & Edge Infrastructure

  • Unusual TFTP traffic on port 69
  • NTLM credential leakage observed via EdgeRouters
  • Unexpected router reboots and firmware resets in logs 

 

4. SaaS & Mailbox Manipulation

  • Unauthorized mailbox delegation/forwarding in Microsoft 365 / Exchange:
    • Forwarding rules to suspicious domains:
      • secure-updates[.]net
      • postbox-mail[.]com
    • Newly added permissions:
      • user1@target.com → read/write by external_user@unknownmail[.]org
      • external_ops@secure-mail365[.]com
      • user_ops@ms-update-secure[.]net
      • logistics-data[.]protonmail[.]com 

 

5. Network & Host Indicators

  • Suspicious IPs linked to reconnaissance & command servers:
    • 185.225.69.120 (associated with CJM hacktivist ops)
    • 91.219.236.15 (linked to APT28 C2 infrastructure)
    • 103.72.145.22 (VPN exit node observed in camera feed hijacks)
  • Domains observed:
    • cyber-army[.]online
    • ummah-defenders[.]org
    • ms-update-secure[.]com
    • secure-mail365[.]com
    •  update-kernel[.]net
    •  gruz-logistics[.]org 

 

6. Malware Samples

  • RAT samples resembling APT28 XAgent variant:
    • MD5: c4f29db29bfc95aa62f1d9a56c210f0a
    • SHA256: b32a43eec11b98c47f88e574a33f97299e233e0b0c5db93052aafab02a8c77a2
  • Defacement toolkit scripts:
    • deface.sh
    • ummah_defender.py

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

How to perform a Man-in-the-middle (MITM) attack with Kali Linux

Image
Learn how to perform a Man in the middle attack with arpspoof, driftnet and urlsnarf in Kali Linux In this article, you will learn how to perform a MITM attack to a device that's connected in the same Wi-Fi networks as yours. Requirements This article assumes that you know what is a network interface and you know to how to work with Kali Linux and the command line. Before starting, you will need to know the name of the Network interface (installed on your machine) and the IP of the router that provides Wi-Fi access. The Network Interface Name can be easily obtained as running the ifconfig command on a terminal, then from the list copy the name of the interface that you want to use. The IP of the router can be obtained executing ip route show on a terminal and a message like "default via [This is the router IP]". From the victim, you will only need the IP (the user needs to be connected to the network provided by the router). The process of obtaining the device IP of the v...
Read more