Share this article on:
CERT-UA reveals details of a Russian malware campaign backed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation.
Ukraine’s Computer Emergency Response Team has shared the details of a recent hacking campaign targeting Ukrainian research entities.
According to CERT-UA, the hackers – designated UAC-0063 – have links to the threat actor Fancy Bear, which itself is backed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, still generally known as the GRU.
The campaign began on 8 July and used a compromised email account to resend a previous email shared on the network with an attached Word document.
However, the hackers had swapped the original document out for one with a malicious macro embedded in it. Running the macro leads to the creation of a second document with another macro, which, in turn, deploys the HATVIBE malware. HATVIBE is designed to deploy further malicious code from the threat actor’s command and control infrastructure.
The final observed stage of the campaign was the installation of the CHERRYSPY backdoor.
CERT-UA said that VirusTotal had detected similar macros in a file that appeared to originate in Armenia and was spread via email correspondence “addressed to the Department of Defense Policy of the Ministry of Defense of the Republic of Armenia on behalf of the Department of International Military cooperation of the Ministry of Defense of the Kyrgyz Republic”.
Other HATVIBE installations were made via a vulnerability in the HFS HTTP file server, most likely CVE-2024-23692.
CERT-UA is also not holding back on the reasons the campaign could have been successful.
“The implementation of the cyber attack became possible due to the systematic neglect by the organisation of the recommendations typical for the current cyber threat landscape,” CERT-UA said in its advisory (as translated by Google).
In particular, CERT-UA said a lack of multifactor authentication, a poor macro policy, and ordinary users having administrator-level access.
“Every manager and system administrator who allows cyber attacks, the means, tactics, techniques and procedures for the implementation of which have been repeatedly publicly described, contributes to the achievement of the enemy’s goals,” CERT-UA said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.