Vole noted a spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored Sandworm group.
The Malware used is called Prestige and the attacks took place within an hour of each other. According to the Microsoft Threat Intelligence Center (MSTIC) the threat actor is called Iridium (or DEV-0960) who appears to be working with Sandworm (which is also known as Iron Viking, TeleBots, and Voodoo Bear).
"This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity," MSTIC said in an update.
The method of initial compromise still remains unknown, although it's suspected that it involved gaining access to highly privileged credentials necessary to activate the killchain.
"The Prestige campaign may highlight a measured shift in Iridium's destructive attack calculus, signaling increased risk to organisations directly supplying or transporting humanitarian or military assistance to Ukraine," the company said.
The findings come over a month after Recorded Future linked another activity group (UAC-0113) with ties to the Sandworm actor as having singled out Ukrainian users by masquerading as telecom providers in the country to deliver backdoors onto compromised machines.
Microsoft, in its Digital Defense Report published last week, further called out Iridium for its pattern of targeting critical infrastructure and operational technology entities.