Invoice-themed phishing campaign and destructive attacks are targeting a Ukrainian government organization

Ukraine’s Cybersecurity and Infrastructure Security Agency (CERT-UA) has issued an alert warning of an ongoing phishing campaign targeting Ukrainian organizations using invoice-themed lures. The phishing campaign, which is attributed to a financially motivated group known as UAC-0006, aims to distribute the SmokeLoader malware according to CERT-UA.

Invoice-themed phishing campaign distributing SmokeLoader malware

The phishing emails, sent using compromised accounts, come with a ZIP archive containing a JavaScript file. The JavaScript code is used to launch an executable that paves the way for the execution of the SmokeLoader malware. Once installed, SmokeLoader downloads additional malware such as password stealers and other banking Trojans.

CERT-UA has attributed the activity to UAC-0006, a group that has previously distributed various types of malware, including ransomware and banking Trojans. The agency recommends that organizations remain vigilant and take necessary precautions to protect against this ongoing threat.

UAC-0165: Group’s Destructive Attacks Against Ukrainian Public Sector Organizations

In addition to the SmokeLoader malware campaign, CERT-UA has also revealed details of destructive attacks orchestrated by UAC-0165, a group accused of targeting Ukrainian public sector organizations. These attacks, which have been characterized as having a high level of sophistication, aim to cause significant damage to targeted systems and networks. In the latest attack, which targeted an unnamed state organization, the attackers used a new batch script-based wiper malware called RoarBAT.

RoarBAT is a destructive tool designed to overwrite files with zero bytes, rendering them unusable. Simultaneously, the attackers used a bash script to compromise Linux systems using the dd utility. The result was impaired operability of electronic computers, according to CERT-UA.

CERT-UA has attributed UAC-0165 with moderate confidence to the notorious Sandworm group, which has been linked to several high-profile attacks, including the Ukraine power grid outage in 2015. Sandworm is a Russian state-sponsored group known for its aggressive cyber campaigns targeting government organizations, critical infrastructure, and industrial sectors.

CERT-UA has issued a warning regarding APT28’s targeting of Ukrainian government entities

This alert comes a week after CERT-UA cautioned Ukrainian government entities about phishing attacks carried out by the Russian state-sponsored group APT28. According to the agency, these attacks aim to steal login credentials and other sensitive information from government officials.

APT28, also known as Fancy Bear, is a sophisticated hacking group with links to Russian military intelligence. The group has previously been accused of several attacks, including the 2016 Democratic National Committee hack, the 2018 Pyeongchang Winter Olympics cyber-attack, and the 2017 French election hack.

The recent alerts from CERT-UA highlight the growing cyber threats faced by Ukrainian organizations and government entities. As cyber threats become more sophisticated and complex, organizations must remain vigilant and take necessary cybersecurity measures to protect their systems, networks, and sensitive information. These measures include regular software updates, employee training on identifying and reporting phishing attacks, and the implementation of advanced threat detection and response capabilities. By taking proactive cybersecurity steps, Ukrainian organizations can better protect themselves against these ongoing threats.

Explore more