Security News > 2022 > December > Ukrainian govt networks breached via trojanized Windows 10 installers
Ukrainian government entities were hacked in targeted attacks after their networks were first compromised via trojanized ISO files posing as legitimate Windows 10 installers.
While analyzing several infected devices on Ukrainian Government networks, Mandiant also spotted scheduled tasks set up in mid-July 2022 and designed to receive commands that would get executed via PowerShell.
The trojanized Windows 10 ISOs were distributed via Ukrainian and Russian language torrent file-sharing platforms, unlike similar attacks where cyber-espionage groups host payloads on their infrastructure.
While the malicious Windows 10 installers were not specifically targeting the Ukrainian government, the threat actors analyzed infected devices and performed further, more focused, attacks on those determined to belong to government entities.
The threat group behind this supply chain attack is being tracked as UNC4166, and its likely goal is to collect and steal sensitive information from Ukrainian government networks.
Since Russia's invasion of Ukraine started, multiple phishing campaigns targeting the Ukrainian government and military organizations have been tagged as APT28 operations by Google, Microsoft, and Ukraine's CERT. "The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant added.
News URL
Related news
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Microsoft fixes Windows 10 bug causing apps to stop working (source)
- Windows 10 KB5046613 update released with fixes for printer bugs (source)
- Microsoft just killed the Windows 10 Beta Channel again (source)
- Microsoft just killed the Windows 10 Beta Channel for good (source)
- Microsoft pulls WinAppSDK update breaking Windows 10 app uninstalls (source)
- Windows 10 KB5046714 update fixes bug preventing app uninstalls (source)
- New Windows 10 0x80073CFA fix requires installing WinAppSDK 3 times (source)
- Windows 10 KB5048652 update fixes new motherboard activation bug (source)