Russian nation-state hackers APT28, also known as Fancy Bear, have targeted Ukrainian government bodies with a phishing campaign. The Computer Emergency Response Team of Ukraine (CERT-UA) said the messages claimed to contain instructions to run a PowerShell command under the guise of a Windows update.
Additionally, running the script launches a second PowerShell script to collect system information via commands such as tasklist and systeminfo, with details sent via HTTP to a Mocky API. The emails impersonated system administrators using fake Microsoft Outlook accounts.
Furthermore, CERT-UA has recommended organizations restrict users’ ability to run PowerShell scripts and monitor connections to the Mocky API. The group’s announcement follows revelations of APT28 using now-patched security flaws in networking equipment to gather reconnaissance and deploy malware.
At the same time, the threat actor was also linked to a credential harvesting operation redirecting visitors of Ukrainian government websites to phishing domains, while Russian-based hackers exploited a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in attacks on Europe’s government, transportation, energy and military sectors.
Cybersecurity firm Recorded Future said it was “almost certain” Russian intelligence, military and law enforcement services had an “established and systematic relationship” with cybercriminal threat actors via indirect collaboration or recruitment.
The development comes as Fortinet FortiGuard Labs revealed a multi-stage phishing attack leveraging a macro-laced Word document purporting to come from Ukraine’s Energoatom. The document is used to deliver the Havoc post-exploitation framework.
