Cyber Security Threat Summary:
“The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates” (The Hacker News, 2023).

The command is designed to run and execute a next-stage PowerShell script which in turn is intended to collect basic system information via commands like tasklist and systeminfo. This data is further exfiltrated using a HTTP request to a Mocky API. According to researchers, they observed the emails impersonating system administrators of targeted government entities using bogus Microsoft Outlook email accounts created with employee’s real names and initials. Although its unclear how these details were obtained, using the real names and initials of employees have made the emails more convincing, enabling the actors to easily trick targeted recipients into running the PowerShell command.

Security Officer Comments:
According to a new report from Google’s Threat Analysis Group, approximately 60% of all phishing attacks targeting Ukraine (between January and March 2023) originated from Russia. Majority of the these attacks were attributed to APT28. With APT28 being associated with the Russian Military intelligence (GRU), the motive behind these attacks is likely to collect intelligence and leak sensitive data, further causing operational disruptions to Ukraine in the ongoing war.

Suggested Corrections:
CERT-UA is recommending that organizations restrict users' ability to run PowerShell scripts and monitor network connections to the Mocky API.

Link:
https://thehackernews.com/2023/05/apt28-targets-ukrainian-government.html