Hackers Attack Ukrainian Government With Phony "Windows Update" Guides

Hackers Attack Ukrainian Government With Phony “Windows Update” Guides

According to the Computer Emergency Response Team of Ukraine (CERT-UA), fraudulent emails purporting to give instructions on how to upgrade Windows as a protection against cyberattacks are being sent to various government organizations in the nation by Russian hackers. CERT-UA thinks that to more easily fool their targets, the Russian state-sponsored hacking outfit APT28 (also known as Fancy Bear) sent these emails and pretended to be the system administrators of the targeted governmental organizations.

In order to do this, the attackers used genuine employee identities that they had obtained through unidentified ways during the attack’s planning phases to construct @outlook.com email accounts. The malicious emails direct the recipients to execute a PowerShell operation in place of actual instructions on updating Windows computers. This program simulates a Windows update procedure by downloading a PowerShell script to the PC while simultaneously downloading a second PowerShell payload in the background.

The second-stage payload is a straightforward information-gathering tool that makes use of the “tasklist” and “systeminfo” commands to collect information and transmit it to a Mocky service API via an HTTP request. Mocky is a special program that enables users to create unique HTTP replies; nevertheless, in this instance, APT28 exploited it to exfiltrate data. System administrators should prevent important machines from starting PowerShell and keep an eye on network traffic for calls to the Mocky service API, advises CERT-UA.

According to a recent analysis by Google’s Threat Analysis Group, APT28 was a significant contributor to the phishing attacks against Ukraine in the first quarter of 2023, accounting for around 60% of all emails that contained malicious attachments. APT28 was actively using a zero-day vulnerability affecting Cisco’s routers to spread the malware known as “Jaguar Tooth” to gather intelligence from US and EU-based targets, US and UK intelligence services, and Cisco warned earlier this month.

Microsoft fixed the CVE-2023-23397 Outlook zero-day vulnerability that APT28 has been using since April 2022 to infiltrate the networks of European governmental, military, energy, and transportation companies. The vulnerability was patched by Microsoft in March 2023. It’s interesting to note that in assaults against Russian government organizations last year, Chinese hackers similarly lured victims using Windows upgrades before dropping malicious executables.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.