Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

CERT-UA warns of phishing campaign targeting Ukrainian organisations with fake Windows update

The Computer Emergency Response Team of Ukraine has discovered a spear phishing campaign targeting organisations within the country via fake emails offering instructions to update Windows.

user icon David Hollingworth
Mon, 01 May 2023
CERT-UA warns of phishing campaign targeting Ukrainian orgs with fake Windows Update
expand image

The Computer Emergency Response Team of Ukraine (CERT-UA) announced the discovery on 28 April, claiming that the GRU-linked group — also known as Fancy Bear, Pawn Storm, and the Sofacy Group, among others — was behind the attacks.

The emails come from outlook.com addresses with the names and details of real system administrators within the target organisations, gleaned by the threat actor from a previous scouting phase of the campaign. Inside the email, the instructions are written in Ukrainian and have detailed steps for victims to take to “protect against hacker attacks,” according to CERT-UA’s report.

The instructions direct victims to launch a command line and run a PowerShell command, which in turn downloads a script that looks like it is updating Windows, but which also downloads another PowerShell script that can collect information from the now-infected system. This second phase uses the commands “tasklist” and “systeminfo” to gather data, which is then sent back to the threat actor via an “HTTP request to the Mocky service API”.

APT28 goes by a total of 12 additional names depending on who is doing the reporting and attribution. Two of the group’s names, Sednit and Sofac, are in fact the names of the malware the group has been known to use.

To say that the reporting of hacking groups like this can be a little uncertain is an understatement.

What is clear, however, is that APT28 is indeed an advanced persistent threat. It is thought to be behind the campaign that compromised Hillary Clinton’s 2016 election campaign, by leaking data from the Democratic National Committee and the Democratic Congressional Campaign Committee — a clear case of electoral interference.

It has also targeted various anti-doping agencies, as well as the Organisation for the Prohibition of Chemical Weapons.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.