Security News > 2022 > December > Ukrainian govt networks breached via trojanized Windows 10 installers
Ukrainian government entities were hacked in targeted attacks after their networks were first compromised via trojanized ISO files posing as legitimate Windows 10 installers.
While analyzing several infected devices on Ukrainian Government networks, Mandiant also spotted scheduled tasks set up in mid-July 2022 and designed to receive commands that would get executed via PowerShell.
The trojanized Windows 10 ISOs were distributed via Ukrainian and Russian language torrent file-sharing platforms, unlike similar attacks where cyber-espionage groups host payloads on their infrastructure.
While the malicious Windows 10 installers were not specifically targeting the Ukrainian government, the threat actors analyzed infected devices and performed further, more focused, attacks on those determined to belong to government entities.
The threat group behind this supply chain attack is being tracked as UNC4166, and its likely goal is to collect and steal sensitive information from Ukrainian government networks.
Since Russia's invasion of Ukraine started, multiple phishing campaigns targeting the Ukrainian government and military organizations have been tagged as APT28 operations by Google, Microsoft, and Ukraine's CERT. "The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant added.