The Wordfence team has identified a massive attack on Ukrainian universities that coincided with the invasion of Ukraine by Russia, and resulted in at least 30 compromised Ukrainian university websites. We have identified the threat actor behind the attack, who is part of a group called the Monday group, which the members refer to as “theMx0nday”. The group has stated publicly that they support Russia in this conflict.
The threat actor is based in Brazil. The majority of attacks transited an internet service provider in Finland called Njalla who claim they are “Considered the worlds most notorious ‘Privacy as a Service’ provider for domains, VPSs and VPNs”. Njalla is run by Peter Sunde, who is the co-founder of Pirate Bay, has a criminal record, and has served prison time.
Wordfence protects over 8,000 websites in Ukraine. In addition to the more than 300 universities we protect in Ukraine, we also protect private, government, military, and police websites. This gives us insight into attacks targeting Ukraine. In this post, we explain how we arrived at the conclusions above, and we provide supporting data, explanations, and visuals.
We are also taking the step of activating our real-time threat intelligence on all sites