Ukraine Confronts New Cyberattack Vector from Russian GRU-Linked Hackers
Ukraine is facing a new cyberattack threat from Russian military intelligence (GRU) linked hackers targeting local governments. The Computer Emergency Response Team of Ukraine (CERT-UA) uncovered an advanced phishing campaign by the Russian GRU-linked APT28, also known as “Fancy Bear.” This campaign utilizes a unique approach where attackers trick recipients into executing malicious PowerShell commands directly from their clipboard, a method that requires minimal interaction.
The emails flagged by CERT-UA were found circulating within local government offices under the guise of “Table Replacement.” Instead of traditional attachments, these emails contain a link that mimics a Google spreadsheet. Upon clicking the link, users are presented with a fake Google reCAPTCHA screen, which copies a malicious PowerShell command to the user’s clipboard without their knowledge.
Subsequently, users are instructed to execute the command by pressing specific keys, leading to the launch of a payload that compromises the system. This tactic demonstrates how APT28 leverages routine tasks and user trust to conceal their malicious intentions.
The CERT-UA analysis revealed that the malicious PowerShell command initiates a sequence that downloads and executes a malicious HTML application called “browser.hta.” This application then runs a PowerShell script designed to steal data from popular browsers and uses an SSH tunnel for data exfiltration to the attackers.
This recent attack is not the first time Ukrainian entities have been targeted by APT28. In a previous incident, the group exploited a Roundcube email vulnerability to redirect email data, compromising government email accounts and transmitting further exploits to Ukrainian defense contacts.
With APT28’s evolving tactics and infrastructure, CERT-UA has advised government agencies to remain vigilant against targeted spear-phishing campaigns that exploit user trust and routine tasks. The indicators of compromise shared by CERT-UA provide valuable insights for organizations to enhance their cybersecurity defenses against such sophisticated threats.