US Cyber Command Says Malware Indicators Targeting UkraineCybersecurity Firm Mandiant Analyzes Phishing Campaigns Tied to Belarus, Russia
A barrage of cyberattacks targeting Ukraine led the U.S. military to publicly disclose a slew of malware indicators in a bid to stymie hackers and underline America's close relationship with Kyiv.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
U.S. Cyber Command in coordination with the Security Service of Ukraine on Wednesday disclosed 20 novel indicators of malware infections.
"Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cybersecurity, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations," U.S. Cyber Command says.
The military command has acknowledged working side by side with Ukrainian Cyber Command to identify vulnerabilities and spot hackers. The United States has aided Ukrainian defense through weapons transfers and humanitarian aid. In June, President Joe Biden announced $1 billion in additional security assistance for the Eastern European country, the twelfth delivery of U.S. arms since August 2021.
Ukrainian cyberspace went into red alert following Russia's February invasion as defenders mobilized to fend off an arsenal of wipers and other digital attacks (see: Major Takeaways: Cyber Operations During Russia-Ukraine War).
Neither government is disclosing the threat actor behind the indicators, nor victims of the malware.
Mandiant, a cybersecurity firm with ties to the U.S. military, joined the info dump by publishing an analysis that takes an in-depth look at some of the released indicators of compromise.
Mandiant researchers detailed the two separate campaigns - one from a threat group the firm believes is linked to the government of Russian ally Belarus and another that is at least partially sponsored by Moscow.
Both groups attack victims by phishing with malicious documents that purport to be safety information or humanitarian advice.
One threat group, dubbed UNC2589, supports Russian government interests and has been conducting espionage collection in Ukraine. Other companies track the group under different names, including SaintBear and TA471.
Mandiant believes this group was behind pre-invasion attacks in January on Ukrainian government websites with malware known as WhisperGate (see: Teardown: Fake Ransomware Targeting Ukrainian Government).
"We believe UNC2589 acts in support of Russian government goals, but have not uncovered evidence to link it conclusively," Mandiant says. The threat actor uses spear-phishing to gain footholds into computers, sending out attachments that arrive in inboxes as messages sent from legitimate but compromised accounts or from its own accounts. The lure themes include COVID-19, the Ukrainian government, the ongoing war and even Bitcoin.
Payloads include malicious document macros, Windows Control Panel files and .zip compression files. The command-and-control structure traces back to IP addresses mostly located in Russia.
On execution, the threat group sets up persistence by setting its malware up to automatically run anytime a user logs on to the compromised computer. It then downloads and executes two additional files, one called GrimPlant to set up a backdoor and another dubbed GraphSteel to steal information. The latter looks for credentials, including from the Chrome, Firefox or Internet Explorer browsers. If it finds an instance of the Thunderbird email client, it also attempts to collect mail data.
In March, cybersecurity firm SentinelOne reported that the group had targeted Ukrainians with fake translation software.
In an alert, Ukrainian national computer emergency response team CERT-UA said GraphSteel and GrimPlant malwares are being distributed through phishing emails that carry the heading "Wage arrears," typically targeted at people working in government. The emails carry an attachment called "Wage arrears.xls" that contains legitimate statistics and macros, CERT-UA said.
Minsk-based UNC1151 is a state-sponsored cyberespionage actor that engages in credential harvesting and malware campaigns; Mandiant dubs it UNC1151 (see: 'Ghostwriter' Disinformation Campaign Targets NATO Allies).
Mandiant researchers did not rule out Russian contributions to either UNC1151 or a disinformation campaign aligned with Russian security interests known as Ghostwriter. But they were unable to identify evidence of any collaboration between Russian advanced persistent threat groups and UNC1151.
Although the group has been active across the Baltics and in Germany, it has focused on Ukraine and Poland since the Russian invasion of Ukraine in February, Mandiant says.
Among its phishing lures is a message that translated as "What to do? During artillery shelling by volley fire systems." Victims who click on the lure have their computers infected with malware dubbed Microbackdoor, a backdoor and command-and-control tool available on source code repository GitHub since May 2021. Its author is "Cr4sh," aka Dmytro Oleksiuk, who has developed other notable malware used by Russian threat actor groups, including the BlackEnergy DDoS bot toolkit.
Microbackdoor can upload and download files, execute commands, update itself and take screenshots.
The group also uses malware dubbed Beacon, part of the Cobalt Strike framework. Its backdoor commands include shell command execution, file transfer, file execution and file management.
It is also capable of capturing keystrokes and screenshots as well as acting as a proxy server. "BEACON may also be tasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C2 server via HTTP or DNS," Mandiant researchers say.
Ukrainian partners are actively sharing malicious activity with us to bolster collective cybersecurity, as we share w/them. Thanks to close collaboration with @servicessu, we are disclosing IOCs associated w/malware recently found in Ukrainian networks https://t.co/PPMRBEASST— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 20, 2022