APT28 Targets Ukrainian Government Entities with Fake “Windows Update” Emails
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country.
The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy.
The email messages come with the subject line “Windows Update” and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.
Running the script loads and executes a next-stage PowerShell script that’s designed to collect basic system information through commands like tasklist and systeminfo, and exfiltrate the details via an HTTP request to a Mocky API.
To trick the targets into running the command, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees’ real names and initials.
CERT-UA is recommending that organizations restrict users’ ability to run PowerShell scripts and monitor network connections to the Mocky API.
The disclosure comes weeks after the APT28 was tied to attacks exploiting now-patched security flaws in networking equipment to conduct reconnaissance and deploy malware against select targets.
Google’s Threat Analysis Group (TAG), in an advisory published last month, detailed a credential harvesting operation carried out by the threat actor to redirect visitors of Ukrainian government websites to phishing domains.
Russian-based hacking crews have also been linked to the exploitation of a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in intrusions directed against the government, transportation, energy, and military sectors in Europe.
The development also comes as Fortinet FortiGuard Labs uncovered a multi-stage phishing attack that leverages a macro-laced Word document supposedly from Ukraine’s Energoatom as a lure to deliver the open source Havoc post-exploitation framework.
“It remains highly likely that Russian intelligence, military, and law enforcement services have a longstanding, tacit understanding with cybercriminal threat actors,” cybersecurity firm Recorded Future said in a report earlier this year.
“In some cases, it is almost certain that these agencies maintain an established and systematic relationship with cybercriminal threat actors, either by indirect collaboration or via recruitment.”