The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a recent series of cyberattacks on various government entities in the country. The phishing campaign has been attributed to APT28, also known as Fancy Bear, which is a known associate of the Russian military intelligence agency, GRU.
The attackers are using fake Microsoft Outlook email accounts, created with the employees’ real names and initials, to impersonate system administrators of the targeted government entities. The email messages come with the subject line “Windows Update” and pretend to contain instructions in the Ukrainian language for running a PowerShell command under the pretext of security updates.
Once the script is activated, it loads and executes a new PowerShell script. The second script is designed to collect basic system information and exfiltrate the details via an HTTP request to a Mocky API. This systematic and sophisticated approach to cyber attacks is causing great concern among Ukrainian officials.
Previous ties to APT28
Three weeks before the CERT-UA warning, APT28 was linked to a series of attacks that exploited now-patched security flaws in networking equipment to carry out reconnaissance and deploy malware against specific targets. It comes as no surprise that they are now linked to this new highly targeted phishing campaign.
Exploiting the flaw in Microsoft Outlook
The Russian-based hacking crew has also been linked to the exploitation of a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in intrusions directed against the Ukrainian government, transportation, energy, and military sectors, among others, in Europe. The vulnerability allows an attacker to gain administrative privileges on the target’s system, giving them free rein to move laterally across the network.
Uncovering Multi-Stage Phishing Attack
Fortinet FortiGuard Labs has discovered a multi-stage phishing attack that uses a macro-laced Word document, seemingly from Ukraine’s Energoatom, to trick victims and then deliver the open-source Havoc post-exploitation framework. The framework is created to run arbitrary code and payloads, perform system commands, and upload or download files.
Established Relationship Between Russian Cybercriminal Threat Actors and Cybercriminal Organizations
There are growing concerns that Russian cybercriminal threat actors are now maintaining an established and systematic relationship with cybercriminal organizations, either through indirect collaboration or recruitment. It is unclear if there is any direct link between these groups, but the fact that they continue to operate with such impunity and success is worrying.
Safeguarding against cyber attacks
To safeguard against such highly sophisticated attacks, CERT-UA is recommending that organizations restrict users’ ability to run PowerShell scripts and monitor network connections to the Mocky API. It is also recommending that organizations be cautious when receiving emails from unknown senders and avoid clicking on links or downloading attachments unless they are sure the email is from a trusted source.
With the current cyber threat landscape and the increasing sophistication of cyber-attacks, organizations around the world need to be aware of the risks and threat actors out there. The latest campaign by APT28 targeting Ukrainian government entities highlights the need for heightened cybersecurity measures, and organizations need to take note of these recommendations to secure their operations against such malicious attacks.
