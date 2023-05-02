The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of the presence of cyber attacks perpetrated by Russian state hackers targeting various government entities in the country.

APT28 and the attack on Ukraine

The agency has attributed the phishing campaign against the hacker group APT28, also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit and Sofacy.

It should be noted that not long ago APT28 (or whoever for him, or for them) tried to run counterfeit Windows installations in the offices of the Ukrainian government.

Also in this case Windows has something to do with it: the APT28 group basically sent emails with the subject “Windows Update” and allegedly containing instructions in Ukrainian for executing a PowerShell command under the pretext of security updates.

Running the script loads and runs a second-level PowerShell script designed to gather basic system information via commands like tasklist And systeminfo and then send the details via an HTTP request to aMocky APIs.

To trick targets into executing the command, emails impersonate system administrators of targeted government entities using fake Microsoft Outlook email accounts created with real names and initials of employees.

CERT-UA recommends that organizations restrict users’ ability to run PowerShell scripts and monitor network connections to the Mocky API.

The disclosure comes weeks after APT28 was linked to attacks that exploit security holes in network devices (thankfully by now with vulnerabilities already patched) to conduct reconnaissance and distribute malware against carefully selected targets.

The Google Threat Analysis Group (TAG), in a note published last month, it described a credential-gathering operation conducted by the threat actor to redirect visitors of Ukrainian government websites to phishing domains.

APT28, a Russian-based group of hackers have also been linked to exploiting a critical privilege escalation vulnerability in Microsoft Outlook (CVE-2023-23397CVSS score: 9.8) in intrusions directed against the government, transport, energy and military sectors in Europe.

Further developments of the matter come when Fortinet FortiGuard Labs has discovery a multi-stage phishing attack using a supposedly macro Word document from Energoatom of Ukraine as a decoy to deliver the open source post-exploitation framework Havoc.

“Russian intelligence, military and police services are very likely to have an ancient tacit understanding with cyber threat actors,” has said cybersecurity firm Recorded Future in a report earlier this year.

“In some cases, these entities are almost certain to maintain an established and systematic relationship with cyber threat actors, either through indirect collaboration or through recruitment.”

This isn’t just about governments – it’s about you too

It is important to always pay close attention to suspicious emails and online communications, especially when dealing with government agencies or important organizations.

Furthermore, it is essential to take the security measures recommended by the competent authorities, such as limiting users’ ability to execute PowerShell scripts and monitoring network connections.

Cybersecurity is a critical and increasingly relevant issue, and we must do our part to protect our data and our online activities; unfortunately if you are in the trade or a little “expert” you will certainly have noticed the ease with which many people say “eh, I don’t care”, when they make great use of the smartphone and the internet.

Unfortunately, small things are also reflected in bigger things such as government offices.