Share this article on:
Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed the circumstances of a recent cyber attack against a government agency.
CERT-UA said that the initial infection vector occurred on 18 April and 20 April 2023, when emails that purported to be from the Embassy of Tajikistan in Ukraine were received by the unnamed agency. The emails contained a document with an embedded macro, which was referred to in the body of the email, making it look like a valid attachment from a trusted source.
However, CERT-UA believes that the otherwise official email may have been previously compromised by the threat actor, possibly as a part of a series of incidents in central Asian countries such as Kazakhstan and Afghanistan.
Downloading and running the macro created a second document, with another macro, which kicked off a string of downloads, leading to a raft of malware being installed on the target machine within days of the initial infection.
Both a keylogger and backdoor were installed, both written in Python and with some code obfuscation involved, while yet another malicious utility handled the exfiltration of gathered data, such as key logs.
According to CERT-UA, the threat actor has been observed since at least 2021 and is known under the identifier UAC-0063 — CERT-UA has provided no other details as to the identity of the actor.
Bitdefender Labs has looked into the possible initial infections in central Asia and found a number of indicators that point to the group being Russia-based. They use cracked versions of Microsoft Office that are known to be popular in Russia and similar tactics to other known pro-Russia groups.
The tactics themselves were similar to the incident reported by CERT-UA, with an initial malicious document leading to a string of malware infections designed to exfiltrate data.
“One clue pointing at the origin of the attack is the use of a cracked version of Microsoft Office 2016 popular in Russian-speaking countries (known as “SPecialisST RePack” or “Russian RePack by SPecialiST),” Bitdefender wrote in a recent blog post. “It is also unusual to see the same backdoor written in two languages — this practice was previously observed with group APT28 (Russian-based) with their backdoor Zebrocy. Based on a combination of indicators, we are attributing this campaign to a group associated with Russia, albeit with low confidence.”
APT28 is Mandiant’s nomenclature for a group known variously as Fancy Bear, Pawn Storm, and Strontium, depending on which security company is doing the reporting.
The US Special Counsel refers to Fancy Bear as GRU Unit 26165. It is believed the group has been active since at least 2007.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.