Jump to content
Kev

Microsoft Uncovers New Details of Russian Hacking Campaign Targeting Ukraine

Recommended Posts

AVvXsEiJp7uIWTii8FlfW6-bjlIQtXIfrJrJFXH4

 

Microsoft on Friday shared more of the tactics, techniques, and procedures (TTPs) adopted by the Russia-based Gamaredon hacking group to facilitate a barrage of cyber espionage attacks aimed at several entities in Ukraine over the past six months.

 

The attacks are said to have singled out government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations with the main goal of exfiltrating sensitive information, maintaining access, and leveraging it to move laterally into related organizations.

 

The Windows maker's Threat Intelligence Center (MSTIC) is tracking the cluster under the moniker ACTINIUM (previously as DEV-0157), sticking to its tradition of identifying nation-state activities by chemical element names.

 

The Ukrainian government, in November 2021, publicly attributed Gamaredon to the Russian Federal Security Service (FSB) and connected its operations to the FSB Office of Russia in the Republic of Crimea and the city of Sevastopol.

 

Quote

"Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis," MSTIC researchers said.


It's worth pointing out that the Gamaredon threat group represents a unique set of attacks divorced from last month's cyber offensives that knocked out multiple Ukrainegovernment agencies and corporate entities with destructive data-wiping malware disguised as ransomware.

 

The attacks primarily leverage spear-phishing emails as an initial access vector, with the messages carrying malware-laced macro attachments that employ remote templates containing malicious code when the recipients open the rigged documents.

 

AVvXsEieGUiwFjHagO6L73v-RD9fMnWEOKMY4zLL

 

In an interesting tactic, the operators also embed a tracking pixel-like "web bug" within the body of the phishing message to monitor if a message has been opened, following which, the infection chain triggers a multi-stage process that culminates in the deployment of several binaries, including —

 

  • PowerPunch – A PowerShell-based dropper and downloader used to retrieve the next-stage executables remotely
  • Pterodo – A constantly evolving feature-rich backdoor that also sports a range of capabilities intended to make analysis more difficult, and
  • QuietSieve – A heavily-obfuscated .NET binary specifically geared towards data exfiltration and reconnaissance on the target host

 

Quote

"While the QuietSieve malware family is primarily geared towards the exfiltration of data from the compromised host, it can also receive and execute a remote payload from the operator," the researchers explained, while also calling out its ability to take screenshots of the compromised host about every five minutes.

 

This is far from the only intrusion staged by the threat actor, which also struck an unnamed Western government organization in Ukraine last month via a malware-laced resume for an active job listing with the entity posted on a local job portal. It also targeted the country's State Migration Service (SMS) in December 2021.

 

The findings also arrive as Cisco Talos, in its continuing analysis of the January incidents, disclosed details of an ongoing disinformation campaign attempting to attribute the defacement and wiper attacks to Ukrainian groups that date back at least nine months.

 

Via thehackernews.com

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...