Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian Military Intelligence Blamed for Blitzkrieg Hacks

Ukrainian Cyber Defenders Trace Government Agency Hits to Phishing Campaign
Russian Military Intelligence Blamed for Blitzkrieg Hacks
The Ukrainian capital of Kyiv after Russian shelling on March 29, 2022 (Image: Shutterstock)

Ukrainian cyber defenders report that fast-acting Russian military intelligence hackers have been targeting government agencies as well as organizations in Poland using backdoor malware tied to phishing lures based on a fake letter from the Ukrainian deputy prime minister.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The Computer Emergency Response Team of Ukraine on Thursday detailed a spear-phishing campaign that it has tied to the Russian advanced persistent group APT28, also known as Fancy Bear. Western intelligence agencies said APT28 is run by Russia's GRU military intelligence agency.

The APT28 phishing campaign ran from Dec. 15 to Dec. 25 and targeted multiple Ukrainian government agencies as well as some organizations in Poland, CERT-UA said. The attack campaign "led to the damage of computers with malicious programs," according to a machine translation of CERT-UA's alert.

News of the latest in a long line of Ukraine-focused phishing campaigns arrives on the heels of a similar series of phishing attacks against organizations in Ukraine and Poland that also began earlier this month. CERT-UA has attributed those attacks to a group it has given the codename UAC-0050 (see: Ukrainian, Polish Authorities Latest Phishing Wave Targets).

Researchers warn that such attacks are typically the first stage in a more serious assault. Security experts have tied GRU hackers to September cyber operations targeting a critical energy infrastructure facility. Defenders said that attempt was foiled after an employee blocked attackers' access to two sites - mockbin.org and mocky.io - and their ability to launch Windows Script Host (see: APT28 Spear-Phishes Ukrainian Critical Energy Facility).

The most recently spotted APT28 campaign involved phishing emails that urged recipients to click on a link purporting to lead to an important document from Ukraine's deputy prime minister. The link instead subjected victims to an attack involving JavaScript, which would download a Windows shortcut file designed to run a PowerShell command to download and open a decoy document as well as Python programming language interpreter and a malicious Python file called Masepie, CERT-UA said.

Masepie is a backdoor that ensures persistence on the infected device by modifying the Windows Registry and adding a deceptively named LNK file - SystemUpdate.lnk - to the Windows Startup folder, CERT-UA said. The malware's primary function appears to be to download additional malware payloads onto the infected device and exfiltrate data being stored on the endpoint.

Defenders found the backdoor uses the AES-128-CBC algorithm to encrypt data before transmitting it to the hackers' command-and-control server, and the encryption key is a sequence of 16 arbitrary bytes that are generated when the malware first establishes a connection with the hackers' C2 server.

In the campaign, APT28 has also been employing a PowerShell script named SteelHook, which functions as an information stealer and can extract data from web browsers on hacked systems, likely including such sensitive information as login credentials, authentication cookies and browsing history, CERT-UA said.

Another tool used in the campaign is a C# backdoor called OceanMap, which can execute base64-encoded commands via cmd.exe and which APT28 has been employing in its attacks since 2020 to gain persistent, remote access to an endpoint, CERT-UA said. OceanMap makes use of the legacy Internet Message Access Protocol as a control channel, via which it receives commands, storing them as email drafts containing the command, username and OS version to avoid suspicion. After executing a command, OceanMap stores the results in the inbox directory, enabling APT28 to clandestinely track the attack and adjust its strategy when necessary, CERT-UA said.

Ukrainian cyber defenders said Russian military intelligence hackers moved quickly once they had gained access to an endpoint, typically deploying further malicious tools in one hour or less after initial compromise.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.