Russia-Linked APT28 Hacking Group Targets Ukrainian Government Bodies
The Russian-linked hacking group, APT28, has once again targeted government bodies, this time in Ukraine, with a spear-phishing campaign disguised as “Windows Update” guides. This technique, known as social engineering, aims to trick the recipients into executing a PowerShell command by making them believe that the email is legitimate. APT28, also known as Fancy Bear, is a well-known Russian Advanced Persistent Threat (APT) that has been active since 2007. It is believed to be operating out of military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU).
APT28’s Tactics
APT28 has a history of targeting security organizations, militaries, and even the 2016 US presidential election. Their recent attack on Ukraine involved sending malicious emails, which appeared to be system administrators of government bodies using Microsoft Outlook, with the subject line “Windows Update.” The email instructed the recipient to launch a command line and execute a PowerShell command, which then downloaded a PowerShell script to collect information about the computer, and sent it to the Mocky service API using HTTP requests.
Emerging Tactics
APT28 is known for its sophisticated tactics, and this campaign is another example of how they are using evolving tactics to infiltrate systems. According to the Ukrainian Computer Emergency Response Team (CERT-UA), the APT28 used a Mocky service API as part of its post-compromise toolset. This usage of the Mocky service API is an interesting variation of social engineering that organizations must be aware of, as it uses legitimate services and makes it challenging for security systems to detect malicious activities.
Recommendations
To prevent further such incidents, CERT-UA recommends that organizations impose restrictions on PowerShell usage and monitor network connections to the Mocky service API. However, these measures may not be enough, and organizations must make sure that their employees receive regular training on cyber threats and social engineering techniques.
Joint Advisory
The National Cyber Security Centre (NCSC), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an advisory on APT28‘s attacks. The advisory provides information on the tactics, techniques, and procedures (TTPs) used by the group and serves as a reminder to all organizations to review their cybersecurity protocols regularly.
In conclusion, the recent attack on Ukrainian government bodies by APT28 is another reminder of the evolving nature of cyber threats and the importance of being prepared to tackle them. Organizations must keep themselves informed of emerging tactics used by threat actors and ensure that their security protocols are updated accordingly to prevent any potential breaches.
<< photo by Petter Lagson >>
You might want to read !
- “An Inside Job Gone Wrong: Cybercriminal Sentenced to Six Years for Ransom Plot Against Employer”
- “Lessons in Cybersecurity: Reflections on the SVB Breach”
- “Unpacking the Latest North Korean APT Tactics: A Deeper Look into Malicious OneDrive Links”
- “Progress Made in Ransomware Fight as Joint Efforts Produce Results”
- North Korean Hackers Suspected in Major Data Breach at Seoul Hospital