Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
APT28 Spear-Phishes Ukrainian Critical Energy Facility
Energy Facility Impeded Attack by Blocking the Launch of the Windows Script HostUkrainian cyber defenders said Russian military hackers targeted a critical energy infrastructure facility with phishing emails containing a malicious script leading to cyberespionage.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The Computer Emergency Response Team of Ukraine on Monday linked the campaign to APT28, the Russian GRU hacking group also known as Fancy Bear and Forest Blizzard, which was formerly Strontium.
The Russian state hacking group is behind a number of spear-phishing campaigns against Kyiv. U.S. and U.K. authorities earlier this year warned that the group had been exploiting a known vulnerability to deploy malware and access Cisco routers worldwide (see: Ukraine Facing Phishing Attacks, Information Operations).
CERT-UA released the report as Ukrainian forces have reportedly breached the southern first line of Russian defenses.
GRU hackers sent emails with a zip archive containing decoy jpeg
files and a batch file named weblinks.cmd
. Running the batch file opens decoy webpages and launches a VBS script that executes a .bat
file.
The batch file uses the Microsoft Edge browser in headless mode to connect with a URL. A headless browser lacks a graphical user interface and is mainly used for testing or scraping. Attackers also download the Tor anonymity browser onto victim computers in a bid to siphon information through The Onion Router. APT28 also uses a PowerShell script to obtain the hash of the account password of the victim system and transmits it through the SMB protocol.
A cyber defender at the energy facility impeded the attack by blocking access to mockbin.org
and mocky.io
and stopping the launch of the Windows Script Host, CERT-UA says.