In a concerning development, Russian cybercriminals have been discovered employing a deceptive strategy to target Ukrainian government employees with information-stealing malware. Researchers from Ukraine’s Computer Emergency Response Team (CERT-UA) recently uncovered a hacking campaign perpetrated by Russian state-sponsored hackers, specifically the notorious APT28 threat actor, also known as Fancy Bear.
The modus operandi of the attackers involved sending emails to government employees, masquerading as legitimate messages from their own IT department. The emails urged recipients to immediately update their Windows devices, citing the need to prevent potential cyberattacks. To enhance their credibility, the hackers took extra measures, utilizing @outlook.com email addresses that corresponded to actual individuals working within the targeted organizations.
Upon falling for the ruse, victims were instructed by the hackers to execute a PowerShell command, purportedly for device updates. However, instead of genuine updates, the command downloaded a sophisticated information-stealing malware. This malicious software exploited the “tasklist” and “systeminfo” commands to extract sensitive data, which it subsequently sent to a Mocky service API via an HTTP request.
To combat this evolving threat, CERT-UA recommends that IT departments within government institutions limit the ability to run PowerShell commands on critical devices and remain vigilant in monitoring network traffic for any suspicious activity, especially connections to the Mocky service API.
These cyberattacks are part of the ongoing Russo-Ukrainian conflict, which is being waged both physically and in cyberspace. Russian hackers have been fervently attempting to infect government endpoints with malware and disrupt key government and media websites. According to Google’s Threat Analysis Group (TAG), a staggering 60% of phishing emails targeting Ukrainian entities in the first quarter of this year originated from Russian threat actors. TAG further implicates APT28 as one of the primary perpetrators behind this alarming campaign.
The discovery of this sophisticated malware campaign highlights the urgent need for increased cybersecurity measures and heightened awareness among government employees. By staying vigilant and implementing stringent safeguards, Ukrainian institutions can effectively mitigate the risks posed by these Russian hackers, ultimately safeguarding sensitive information and preserving national security.