Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Ukraine Identifies Central Asian Cyberespionage Campaign

Official Address of Ukraine's Embassy in Tajikistan Used to Send Phishing Emails
Ukraine Identifies Central Asian Cyberespionage Campaign
Cityscape of the Tajik capital, Dushanbe (Image: Shutterstock)

Possibly Russian hackers likely compromised the official email address of Ukraine's embassy in Tajikistan to send phishing emails to organizations located in central Asia, Israel and India.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

The Computer Emergency Response Team of Ukraine disclosed Monday that an unidentified government agency had received emails from the Tajikistani outpost between April 18 and April 20. The embassy inbox was probably compromised, CERT-UA said.

Some phishing emails contained a document loaded with malicious macros, and others encouraged recipients to download the document from the internet.

The espionage tools included a backdoor, keylogger and a malicious program CERT-UA calls Stillarch. The Ukrainian government is tracking the campaign as UAC-0063.

The possible Russia connection comes from Stillarch. In analysis earlier this month, Bitdefender dubbed the same malware DownEx (see: Russian Group Possibly Behind Cyberespionage in Central Asia).

Security researchers from Bitdefender wrote that they don't have hard evidence that Russian state hackers are behind DownEx and the hacking incidents in Central Asia associated with it. Among the indicators that suggested a Moscow link was a bait document created with a cracked version of Microsoft Office 2016 known as "SPecialiST RePack" that is popular in Russian-speaking countries. DownEx is also written in two programming languages, Python and C++, a practice previously observed in APT28, aka Fancy Bear.

Ukrainian cyber defenders say the hackers used obfuscation methods to stymie analysis of the malware, including deploying Pyarmor and the Themida packer.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.