View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Russian hackers APT28 using fake Windows update emails to target Ukrainian government

Fake email addresses purporting to belong to Ukrainian government officials are being used to spread malware.

By Claudia Glover

Russian state-sponsored cybercriminal gang APT28, also known as Fancy Bear, has been targeting Ukrainian government organisations with malware hidden in fake Windows update emails. The phishing links are sent from Outlook email addresses that appear to be from employees of government organisations in Ukraine.

A government building in Kyiv, one of the institutions reportedly weathering cyberattacks from Russian state-sponsored gang APT28. (Photo by Andreas Wolochow/Shutterstock)

The Computer Emergency Response Team of Ukraine (CERT-UA) has released a warning concerning the attacks, explaining that they were carried out throughout April.

APT28 found attacking Ukrainian government

The emails would contain the subject line “Windows Update”, from email addresses created on the Outlook webmail service, but using real employee surnames and initials.

A sample letter described by CERT-UA contains instructions in Ukrainian for “updates to protect against hacker attacks,” as well as images of the process of launching a command line and executing a shell command. 

“The mentioned command will download a PowerShell script that, simulating the process of updating the operating system, will download and execute a PowerShell script designed to collect basic information about the computer using the ‘tasklist’, ‘systeminfo’ commands,” the warning says.

CERT-UA recommends that any company feeling at risk from these attacks should restrict the ability of users to launch PowerShell/

APT28 is a well-established cybercriminal gang

The Russian cybercriminal gang APT28, otherwise called Fancy Bear, Pawn Storm, the Sednit Gang and Sofacy, has been tracked widely by security companies since 2014.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

In recent months it has been aggressively targeting Ukraine, as well as organisations in the US and Europe via the exploitation of a vulnerability in Cisco routers.

A joint advisory by the UK National Cybersecurity Centre, the National Security Agency, the Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation announced last month that “APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742″.

The cybersecurity agencies added that they believe that APT28 is almost certainly part of the Russian security force, the GRU.

These are typical in the cyberattacks weathered by Ukraine during the war, explained Illia Vitiuk, the head of the Department of Cyber Information Security in the Security Service of Ukraine. during an interview last month with CyberScoop.

“More than 90% of all cyberattacks targeting Ukraine are either conducted by special services or by state-sponsored groups,” said Vitiuk. He went on to suggest that pro-Russian hacktivists were not as big a phenomenon as the cyber community has so far been led to believe.

“I believe that there is no so-called ‘hacktivism’ in Russia at all,” Vitiuk added.

Read more: Russian hackers are bypassing OpenAI’s ChatGPT restrictions

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.