Russian hackers have launched cyber attacks against Ukrainian government bodies

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a recent series of cyberattacks on various government entities in the country. The phishing campaign has been attributed to APT28, also known as Fancy Bear, which is a known associate of the Russian military intelligence agency, GRU.

The attackers are using fake Microsoft Outlook email accounts, created with the employees’ real names and initials, to impersonate system administrators of the targeted government entities. The email messages come with the subject line “Windows Update” and pretend to contain instructions in the Ukrainian language for running a PowerShell command under the pretext of security updates.

Once the script is activated, it loads and executes a new PowerShell script. The second script is designed to collect basic system information and exfiltrate the details via an HTTP request to a Mocky API. This systematic and sophisticated approach to cyber attacks is causing great concern among Ukrainian officials.

Previous ties to APT28

Three weeks before the CERT-UA warning, APT28 was linked to a series of attacks that exploited now-patched security flaws in networking equipment to carry out reconnaissance and deploy malware against specific targets. It comes as no surprise that they are now linked to this new highly targeted phishing campaign.

Exploiting the flaw in Microsoft Outlook

The Russian-based hacking crew has also been linked to the exploitation of a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in intrusions directed against the Ukrainian government, transportation, energy, and military sectors, among others, in Europe. The vulnerability allows an attacker to gain administrative privileges on the target’s system, giving them free rein to move laterally across the network.

Uncovering Multi-Stage Phishing Attack

Fortinet FortiGuard Labs has discovered a multi-stage phishing attack that uses a macro-laced Word document, seemingly from Ukraine’s Energoatom, to trick victims and then deliver the open-source Havoc post-exploitation framework. The framework is created to run arbitrary code and payloads, perform system commands, and upload or download files.

Established Relationship Between Russian Cybercriminal Threat Actors and Cybercriminal Organizations

There are growing concerns that Russian cybercriminal threat actors are now maintaining an established and systematic relationship with cybercriminal organizations, either through indirect collaboration or recruitment. It is unclear if there is any direct link between these groups, but the fact that they continue to operate with such impunity and success is worrying.

Safeguarding against cyber attacks

To safeguard against such highly sophisticated attacks, CERT-UA is recommending that organizations restrict users’ ability to run PowerShell scripts and monitor network connections to the Mocky API. It is also recommending that organizations be cautious when receiving emails from unknown senders and avoid clicking on links or downloading attachments unless they are sure the email is from a trusted source.

With the current cyber threat landscape and the increasing sophistication of cyber-attacks, organizations around the world need to be aware of the risks and threat actors out there. The latest campaign by APT28 targeting Ukrainian government entities highlights the need for heightened cybersecurity measures, and organizations need to take note of these recommendations to secure their operations against such malicious attacks.

Explore more

NHS Trust Urgently Needs Network Upgrade for Patient Safety

Dartford and Gravesham NHS Trust Infrastructure Challenges Dartford and Gravesham NHS Trust has been grappling with a critical situation due to its outdated network infrastructure, which poses significant risks to essential digital clinical systems. The Trust Board has identified the risk level associated with this infrastructure, characterized by obsolete Cisco switches and inadequate wireless technology, as “extremely high.” With many

Is Pentagon Security at Risk Due to Hegseth’s Signal Use?

In a startling development within U.S. defense circles, reports have surfaced suggesting a security breach involving Defense Secretary Pete Hegseth. Allegedly, Hegseth set up an unsecured internet connection, colloquially termed a “dirty line,” in his Pentagon office. This setup allowed him to bypass stringent security protocols to access the Signal messaging app on personal devices. The implications are profound, as

Adapting Security for Complex, Multi-Dimensional Networks

Navigating the complexities of today’s digital landscapes requires a significant transformation in network security approaches. The evolving structure of these ecosystems mirrors a sprawling urban environment, where reliance on traditional security measures no longer suffices to protect against myriad threats. Drawing an analogy with the cityscape of Chongqing in China, known for its intricate, multi-level design, emphasizes the necessity for

Can Nokia and T-Mobile’s Partnership Boost Network Innovation?

The technological landscape is ever-evolving, demanding innovative solutions to cater to the increasing demand for seamless and high-speed connectivity. In light of this, the strategic multi-year partnership between Nokia and T-Mobile emerges as a significant force aimed at elevating network capabilities. This collaboration plans to harness Nokia’s advanced AirScale Radio Access Network portfolio, which includes innovative technologies like Habrok Massive

Mastering Email Deliverability: Yahoo’s New Rules Explained

In today’s digital communication landscape, ensuring emails reach the intended recipients’ inboxes rather than being diverted to spam folders has become a critical challenge for marketers. Recently, Yahoo has implemented significant changes to its email deliverability protocols for bulk senders, aligning closely with the standards enforced by tech giants like Google and Microsoft. This shift involves heightened requirements around email