Security News > 2023 > May > APT28 Targets Ukrainian Government Entities with Fake "Windows Update" Emails

The Computer Emergency Response Team of Ukraine has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country.

The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.

Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like tasklist and systeminfo, and exfiltrate the details via an HTTP request to a Mocky API. To trick the targets into running the command, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees' real names and initials.

CERT-UA is recommending that organizations restrict users' ability to run PowerShell scripts and monitor network connections to the Mocky API. The disclosure comes weeks after the APT28 was tied to attacks exploiting now-patched security flaws in networking equipment to conduct reconnaissance and deploy malware against select targets.

Google's Threat Analysis Group, in an advisory published last month, detailed a credential harvesting operation carried out by the threat actor to redirect visitors of Ukrainian government websites to phishing domains.

"In some cases, it is almost certain that these agencies maintain an established and systematic relationship with cybercriminal threat actors, either by indirect collaboration or via recruitment."

News URL

https://thehackernews.com/2023/05/apt28-targets-ukrainian-government.html