OFAC sanctioned 1VPNS and two individuals for aiding ransomware attacks on U.S. targets. Russian GRU and FSB center 16 actors targeted Poland's energy grid and exploited routers. FBI warned of CVE exploitation in critical infrastructure.
| IOC Type | Value | Description | Relevant MITRE ATT&CK Techniques |
|---|---|---|---|
| Malwarename | First VPN Service (1VPNS) | VPN service used by ransomware groups to hide attack origins | T1133 |
| Vulnerability | CVE-2018-0171 | Cisco vulnerability exploited by FSB Center 16 for router access | T1212 |
| Vulnerability | CVE-2008-4128 | Added to CISA KEV catalog for router exploitation | T1212 |
| Code | Title |
|---|---|
| T1133 | External Remote Services (VPN for obfuscating attacks) |
| T1071 | Application Layer Protocol (SNMP for scanning devices) |
| T1046 | Network Service Scanning (SNMP Set-Requests for router exploitation) |
| T1212 | Exploitation for Client Execution (CVE-2018-0171 and CVE-2008-4128 abuse) |
| T1027 | Obfuscated Files or Information - Obfuscated Files or Information (cryptors to hide malware) |
| T1566 | Phishing (implied in initial access) |
| T1036 | Masquerading (false identities for infrastructure purchases) |
| T1059 | Command and Scripting Interpreter (script-based SNMP exploitation) |
| T1083 | File and Directory Discovery (transferring router configurations) |
| T1047 | Windows Management Instrumentation (SNMP as protocol for management abuse) |
| Type | Value |
|---|---|
| Country | Poland |
| Sector | Financial Services |
| Sector | Government (municipal) |
| Sector | Healthcare |
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service ( 1VPNS ), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian administrator, Dmytro Rashevskyi. The department has also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national, for selling cryptors to help conceal ransomware and other malware as safe programs to avoid being detected by security tools. First VPN was dismantled in May 2026 as part of a joint law enforcement operation by European and North American authorities for assisting criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The service had been operational since 2014, advertising that it neither keeps a log of users' identities or activities nor cooperates with law enforcement to tackle illegal activity originating from servers it rents to customers. Per the Treasury, several ransomware groups are said to have purchased First VPN to carry out attacks on U.S. companies and institutions and hide their true origins, deploy malware, and manage exfiltrated data. Victims of ransomware attacks that involved the VPN infrastructure included U.S. businesses,
"Rashevskyi has used false identities, including 'Maksim Sorin' and 'Roman Chabanenko,' to buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers," the department said. U.K. and E.U. Impose Sanctions on Russian Individuals and Entities The disclosure coincides with the U.K. and E.U. sanctioning Russian cyber networks for their "persistent and increasingly reckless attempts to sow chaos and division across Europe." The sanctions target 24 individuals and entities behind destructive cyber and hybrid operations, including operators involved in proxy networks linked to the Russian Intelligence Services (RIS). This includes Russia's Main Intelligence Directorate (GRU) senior leadership members Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko for their role in directing GRU cyber and hybrid threat operations. In tandem, Centre 16 of the Federal Security Service (FSB) has been attributed to disruptive sabotage operations against
"We strongly condemn Russia's behaviour and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses. By calling out Russia's malicious behaviour and imposing costs on those responsible for such activities, the EU underscores its determination to uphold accountability in cyberspace." Russian State-Sponsored Targeting Goes After Routers The sanctions also arrive against the backdrop of a new advisory issued by the U.S. Federal Bureau of Investigation (FBI) about FSB Center 16 cyber actors' exploitation of poorly configured and vulnerable networking devices across the world to opportunistically hack into multiple critical infrastructure sector networks. "The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation," the agency said. "The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication." These scans, which are run via proxies, consist of SNMP Set-Requests from a spoofed IP address containing Object Identifiers (OIDs) that instruct the SNMP agent on poorly configured networking devices to copy its configuration to a file and transfer it to an attacker-controlled virtual private server (VPS) or compromised FTP server. The activity also involves abusing common vulnerabilities and exposures (CVEs) in Cisco devices, such as