via wordfence.com => original post link
Note: This article has been updated to reflect that the hosting provider “Njalla”, which routed the malicious traffic involved in this attack, is based in Sweden, not in Finland, although IP geolocation data indicates that the specific server that the traffic transited may be based in Finland. We have also updated the post title to reflect this change.
The Wordfence team has identified a massive attack on Ukrainian universities that coincided with the invasion of Ukraine by Russia, and resulted in at least 30 compromised Ukrainian university websites. We have identified the threat actor behind the attack, who is part of a group called the Monday group, which the members refer to as “theMx0nday”. The group has stated publicly that they support Russia in this conflict.
The threat actor is based in Brazil. The majority of attacks transited an internet service provider called Njalla who claim they are “Considered the worlds most notorious ‘Privacy as a Service’ provider for domains, VPSs and VPNs”. Njalla is a Swedish-based hosting provider and is run by Peter Sunde, who is the co-founder of Pirate Bay. The specific Njalla server that the traffic was routed through appears to be based in Finland, based on IP geolocation data, although Njalla claims their servers are based “In secret locations in Sweden”.