APT28 Targets Ukrainian Government with Fake Windows Update Campaign

April 30, 2023

The Russia-linked APT28 group, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, has been targeting Ukrainian government bodies with fake 'Windows Update' guides, according to a warning from the Computer Emergency Response Team of Ukraine (CERT-UA). Active since at least 2007, APT28 has targeted governments, militaries, and security organizations worldwide, and was involved in the 2016 Presidential election attacks. The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) and has primarily employed spear-phishing and malware-based attacks in their campaigns.

CERT-UA observed the campaign in April 2023, noting that the malicious emails with the subject “Windows Update” were designed to appear as if sent by system administrators of departments within multiple government bodies. The threat actors sent messages from email addresses created on the public service '@outlook.com': “During April 2023, the government computer emergency response team of Ukraine CERT-UA recorded cases of the distribution of e-mails with the subject 'Windows Update' among government bodies of Ukraine, sent, apparently, on behalf of system administrators of departments. At the same time, e-mail addresses of senders created on the public service '@outlook.com' can be formed using the employee’s real surname and initials.”

The emails contained 'instructions' in Ukrainian for 'updates to protect against hacker attacks' and graphical images of the process of launching a command line and executing a PowerShell command. The attackers used '@outlook.com' email addresses and real employee names obtained during a reconnaissance phase. The messages aimed to trick recipients into launching a command line and executing a PowerShell command, which would download a PowerShell script on the computer that simulates a Windows updating process while downloading another PowerShell script in the background.

The second-stage payload abuses the 'tasklist' and 'systeminfo' commands to gather system information and send them to a Mocky service API via an HTTP request: “The mentioned command will download a PowerShell script that, simulating the process of updating the operating system, will download and execute the following PowerShell script designed to collect basic information about the computer using the 'tasklist', 'systeminfo' commands, and send the received results using HTTP request to the Mocky service API.”

CERT-UA recommends restricting users' ability to launch PowerShell and monitoring network connections to the Mocky service API. Indicators of Compromise for this campaign were also provided by CERT-UA. Recently, UK and US agencies warned of the APT28 group exploiting vulnerabilities in Cisco networking equipment. The Russia-linked APT group accesses unpatched Cisco routers to deploy malware exploiting the unpatched CVE-2017-6742 vulnerability (CVSS score: 8.8), according to a joint report published by the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA), and US Federal Bureau of Investigation (FBI). The joint advisory offers detailed information on tactics, techniques, and procedures (TTPs) associated with APT28’s attacks conducted in 2021 that exploited the flaw in Cisco routers.

Related News

• Russian APT28 Exploits Old Vulnerability to Target Cisco Routers

Latest News

• FDA and CISA Alert: Illumina Medical Devices at Risk of Remote Hacking
• Critical Vulnerability in Zyxel Firewalls Allows Remote Command Execution
• Clop and LockBit Ransomware Gangs Target PaperCut Servers
• FIN7 Hackers Exploit Veeam Backup & Replication Vulnerability
• Exposed Apache Superset Installs Vulnerable to RCE Attacks