Russian cybercriminals have been observed targeting Ukrainian government employees with information-stealing malware by posing as IT staff working in these institutions.
Cybersecurity researchers from the Computer Emergency Response Team of Ukraine (CERT-UA) spotted the hacking campaign in which Russian state-sponsored hackers from the APT28 threat actor (also known as Fancy Bear) were sending emails to Ukraine government employees.
These emails claimed to be from the government's IT department, and urged them to update their Windows devices immediately in order to prevent possible cyberattacks.
Posing as Ukrainians
The researchers could not say how the attackers obtained this information, but to improve their credibility, the hackers would create @outlook.com email addresses, using the names of real people working in these organizations.
If any victims took the bait, the attackers would advise them to run a PowerShell command which, instead of updating the device, downloaded an information-stealing malware.
This malware abuses the “tasklist” and “systeminfo” commands to harvest sensitive data and send them to a Mocky service API via an HTTP request.
To make sure no one falls for the trick, CERT-UA recommends actual IT departments restrict the ability to run PowerShell commands on critical devices and monitor network traffic for suspicious activity, especially if something’s connecting to the Mocky service API.
The Russo-Ukrainian war that’s been raging for more than a year now is being fought on two fronts - one physical, and one in cyberspace. Russian hackers have been hard at work, trying to infect government endpoints with malware, as well as trying to bring down key government and media websites.
In fact, almost two-thirds (60%) of all phishing emails that targeted Ukrainian targets in the first quarter of the year came from Russian threat actors, Google’s Threat Analysis Group (TAG) says. TAG also claims APT28 is one of the key players in this campaign.
- Here's our rundown of the best endpoint protection right now