Russian hackers have launched cyber attacks against Ukrainian government bodies

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a recent series of cyberattacks on various government entities in the country. The phishing campaign has been attributed to APT28, also known as Fancy Bear, which is a known associate of the Russian military intelligence agency, GRU.

The attackers are using fake Microsoft Outlook email accounts, created with the employees’ real names and initials, to impersonate system administrators of the targeted government entities. The email messages come with the subject line “Windows Update” and pretend to contain instructions in the Ukrainian language for running a PowerShell command under the pretext of security updates.

Once the script is activated, it loads and executes a new PowerShell script. The second script is designed to collect basic system information and exfiltrate the details via an HTTP request to a Mocky API. This systematic and sophisticated approach to cyber attacks is causing great concern among Ukrainian officials.

Previous ties to APT28

Three weeks before the CERT-UA warning, APT28 was linked to a series of attacks that exploited now-patched security flaws in networking equipment to carry out reconnaissance and deploy malware against specific targets. It comes as no surprise that they are now linked to this new highly targeted phishing campaign.

Exploiting the flaw in Microsoft Outlook

The Russian-based hacking crew has also been linked to the exploitation of a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in intrusions directed against the Ukrainian government, transportation, energy, and military sectors, among others, in Europe. The vulnerability allows an attacker to gain administrative privileges on the target’s system, giving them free rein to move laterally across the network.

Uncovering Multi-Stage Phishing Attack

Fortinet FortiGuard Labs has discovered a multi-stage phishing attack that uses a macro-laced Word document, seemingly from Ukraine’s Energoatom, to trick victims and then deliver the open-source Havoc post-exploitation framework. The framework is created to run arbitrary code and payloads, perform system commands, and upload or download files.

Established Relationship Between Russian Cybercriminal Threat Actors and Cybercriminal Organizations

There are growing concerns that Russian cybercriminal threat actors are now maintaining an established and systematic relationship with cybercriminal organizations, either through indirect collaboration or recruitment. It is unclear if there is any direct link between these groups, but the fact that they continue to operate with such impunity and success is worrying.

Safeguarding against cyber attacks

To safeguard against such highly sophisticated attacks, CERT-UA is recommending that organizations restrict users’ ability to run PowerShell scripts and monitor network connections to the Mocky API. It is also recommending that organizations be cautious when receiving emails from unknown senders and avoid clicking on links or downloading attachments unless they are sure the email is from a trusted source.

With the current cyber threat landscape and the increasing sophistication of cyber-attacks, organizations around the world need to be aware of the risks and threat actors out there. The latest campaign by APT28 targeting Ukrainian government entities highlights the need for heightened cybersecurity measures, and organizations need to take note of these recommendations to secure their operations against such malicious attacks.

Explore more

Can the Extremely Lean Chain Scale Ethereum to Millions?

As the global demand for decentralized settlement layers continues to surge, the architectural limitations of traditional blockchain storage models have forced a radical reimagining of how network participants verify data. In 2026, the Ethereum ecosystem is shifting toward a more sustainable path through the “Lean Ethereum” roadmap, a series of strategic updates designed to simplify the protocol while massively increasing

Why Third-Party Launchers Outshine the Windows 11 Start Menu

The traditional desktop paradigm is currently facing a silent revolution as users realize that the standard Start menu no longer serves as a bridge to productivity but rather as a billboard for integrated services. This shift in sentiment is not merely a matter of aesthetic preference but a direct response to the increasing friction between human intent and machine execution

Investors Look Beyond UiPath for Agentic Automation Growth

The global investment community has begun to move past the initial phase of artificial intelligence speculation to focus on the tangible returns generated by autonomous digital agents. While enterprise giants have long dominated the conversation regarding robotic process automation, the current market climate favors specialized firms capable of delivering agentic systems that require minimal human oversight. This shift is driven

How Will Qatar’s 2026 Labor Law Reshape the Workforce?

The enactment of Law No. (9) of 2026 represents a decisive pivot in Qatar’s economic strategy, fundamentally altering how the nation manages its most valuable asset: its human capital. By replacing the foundational labor framework that had been in place since 2004, the government has signaled its intent to cultivate a more versatile, competitive, and transparent market. This comprehensive overhaul

Why Is the UK Public Sector So Vulnerable to FortiBleed?

The digital infrastructure of the United Kingdom is currently enduring a sophisticated and relentless siege that has exposed deep-seated structural weaknesses within its most critical public institutions. This campaign, colloquially known as FortiBleed, has systematically targeted high-profile entities such as the National Health Service and the Foreign Office by exploiting mundane security oversights rather than relying on groundbreaking zero-day vulnerabilities.