March 9th, 2022: MicroBackdoor Attacks Ukraine
Industry: Government | Level: Tactical | Source: Portswigger
Ukraine’s Computer Emergency Response Team (CERT-UA) warns malware MicroBackdoor is targeting Ukrainian government agencies. The malware reported from The Daily Swig, is distributed in a phishing email containing a zip file with accompanying files that executes malicious code in VBScript. Intelligence from CERT-UA identified the malware was created in January 2022.
March 16th, 2022: Ukraine Targeted with Fraudulent Translation Software
Industry: N/A | Level: Tactical | Source: SentinelOne
SentinelOne identified threat actor group, SaintBear (aka UAC-0056, UNC2589, TA471) distributing fraudulent translation software to users in Ukraine to infect users with malware GrimPlant and GraphSteel. The fraudulent translation software is complied in python and has been identified as early as February 2022 in threat campaigns. When dropped on the victim’s host, the malware downloads additional .exe payloads, runs reconnaissance commands, establishes persistence and collects credentials.
- Anvilogic Scenario: SaintBear – Fraudulent Software – Infection Flow
- Anvilogic Use Cases:
- Executable File Written to Disk
- Common Reconnaissance Commands
- Query Registry
- New AutoRun Registry Key
- Windows Credentials Editor
March 21st, 2022: Threat Group, InvisiMole Striking Ukraine
Industry: Government, Military | Level: Tactical | Source: ZDNet
Ukraine’s Computer Emergency Response Team for Ukraine (CERT-UA) warns of attacks by the hacking group, InvisiMole; the group is alleged to have associated with the APT group, Gamaredon. The group is targeting industries that are “high-profile” in military and diplomatic affairs. Reported by ZDNet, the threat group is initiating phishing campaigns to distribute LoadEdge backdoors to Ukrainian organizations. The described attack chain, described by CERT-UA, involves “phishing emails being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.” In addition, the activity following involves using DNS tunneling to deliver malicious payloads, create persistence through registry and data collection.
- Anvilogic Use Cases:
- Compressed File Execution
- Modify Registry Key
March 24th, 2022: Ukrainian News Websites Hacked
Industry: Media | Level: Strategic | Source: Infosecurity
Ukrainian news websites suffer hacks and defacement with the “Z” symbol on compromised sites. Ukraine’s government agency, State Service of Special Communication and Information Protection of Ukraine attributes the attacks to Russian threat actors and confirms no data was compromised. At the time of reporting by Infosecurity Magazine, the government agency reports the site’s services are restored and operational.
March 25th, 2022: Ukraine Targeted by Chinese Threat Actor Group, Scarab
Industry: N/A | Level: Tactical | Source: SentinelOne
Ukraine’s Computer Emergency Response Team (CERT-UA) alerts of cyber activity involving a Chinese threat actor which SentinelLabs has attributed to as Scarab (CERT-UA, labels the group as UAC-0026). The threat group has been active since 2012. The activity from Scarab marks the first sign of Chinese threat actor activity against Ukraine since the Russian invasion began. Previous threat activity from the group targeted various users in Russia and the United States. Identified in the CERT-UA alert is a RAR file archive that translates to “the preservation of video recordings of criminal actions of the army of the Russian Federation.rar.” The malicious archive when open provides a lure document, DLL file with a .dat file extension and a batch file. Currently, it is unknown what Scarab/UAC-0026 threat objectives are.
March 11th, 2022: Telecommunications Outages in Ukraine
Industry: Telecommunications | Level: Strategic | Sources: DataCenterDynamics & Forbes
Reported from Data Center Dynamics, outages were identified to Ukraine’s telecoms operator, Ukrtelecom and internet service provider (ISP), Triolan. An investigation of the activity by Doug Madory, the director of internet analysis at Kentik, identified the disruption in service from Ukrtelecom resulted in an approximate, 40 minute outage period. The impact to Triolan is more severe as the ISP, is experiencing an excess of 12 hours for its an outage period. The attack against Triolan has also been reported by Forbes, identifying from sources within the company that the cause of the outage was due to a “cyberattack.” The cyberattack against Triolan appears to have started on March 9th, 2022 when outages were first experienced, with the identified issue shared as “attackers reset the settings to the factory level [with impact to] key nodes of the network.” Partial service has been restored as Triolan restored “70% of those nodes in Kyiv, Kharkiv, Dnipro, Poltava, Odesa, Rivne and Zaporizhia.” The cyberattack against Triolan is not the first as a post on the company’s Telegram page reveals a hack on February 24 as well.
March 14th, 2022: CaddyWiper Data Wiper Attacks Ukraine
Industry: N/A | Level: Strategic | Source: BleepingComputer
Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware named CaddyWiper is attacking Ukrainian organizations. Shared from ESET’s Twitter, “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.” Interestingly the malware conducts a check on the host to validate if it’s a domain controller and if so, the data on the domain controller will not be affected. ESET hypothesizes this exclusion is to ensure access is retained by the attacker. Analysis of the malware identified it was compiled on Monday, March 14th, 2022 at 07:19:32 UTC. While the malware does not share “significant code similarity” with prior wipers, CaddyWipper’s deployment is similar to HermaticWiper as ESET tweet states, “similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”
Google TAG Provides Update on Russian Threat Groups
Industry: Government, Media, Military | Level: Strategic | Source: GoogleTAG
Google’s Threat Analysis Group (TAG) provides an update on threat actor groups, APT28/FancyBear, Ghostwriter/UNC1151 and Mustang Panda/Temp.Hex, focusing attacks against Ukraine. Activity for APT28/FancyBear has identified phishing campaigns conducted to obtain user credentials against a Ukrainian media site. Threat actor group Ghostwriter/UNC1151 has also conducted phishing campaigns targeting the Polish and Ukrainian, government and military. Analysis for China based threat actor group, Mustang Panda/Temp.Hex has identified the distribution of a malicious zip file that downloads a malicious payload.
Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware, named CaddyWiper, is attacking Ukrainian organizations.
Industry: N/A | Level: Tactical | Source: Proofpoint
Proofpoint research provides an update for activity since November 2021, involving Chinese APT group TA416, initiating targeted campaigns against European Diplomatic entities. An increase in activity has been observed since the invasion with Russia in Ukraine has taken place. A new technique was identified in the group’s phishing campaigns. Initially, the threat group utilizes web bugs to profile victims to provide a “sign of life,” indicating to the attackers the victim is active and can be enticed into opening malicious emails. Phishing emails have then been observed to be leveraging “email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service field while using a unique sender address generated by the service.” The abuse of the SMTP2Go service has enabled the group to impersonate different European organizations. When sending the malicious phishing emails, the threat actor provides a DropBox link containing the malware executable, PlugX in a zip file. Upon execution, the malware establishes persistence through DLL Search Order hijacking using PE file potplayermini.exe associated with a public media player and downloads additional payloads.