APT28 aka UAC-0001 Group Leverages Phishing Emails Disguised As Instructions for OS Updates Targeting Ukrainian State Bodies
- AI SIEM Migration: Simplify, Optimize, Innovate - 24.04.2024
- UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware - 22.04.2024
- CVE-2024-24576 Detection: Hackers Exploit aĀ Maxim Severity āBatBadButā Rust Vulnerability to Target Windows Users - 15.04.2024
Table of contents:
The infamous russian nation-backed hacking collective tracked as APT28 or UAC-0001, which has a history of targeted attacks against Ukrainian government agencies, reemerges in the cyber threat arena.
The latest CERT-UA#6562 alert confirms that over April 2023, the hacking collective has been leveraging the phishing attack vector to massively distribute spoofed emails among Ukrainian state bodies. Hackers applied the lure subject with the Windows OS updates using a forged sender address, masquerading as the system administrators of the corresponding departments.
APT28 Phishing Attack Analysis Covered in CERT-UA#6562 Alert
On April 28, 2023, CERT-UA researchers released a new alert warning cyber defenders of a massive phishing campaign leveraging email spoofing and targeting Ukrainian state bodies attributed to the russia-linked hacking group known as UAC-0001/UAC-0028 aka APT28 or Fancy Bear APT. In 2022, CERT-UA issued alerts covering the malicious activity of these russian state-sponsored threat actors using similar attack vectors. Almost one year ago, APT28 leveraged email spoofing masquerading their messages as a security heads-up, while in June 2022, threat actors abused the notorious zero-day vulnerability CVE-2022-30190 to spread CredoMap malware via a lure attachment.
In the most recent CERT-UA#6562 alert, the APT28 hacking collective massively distributed phishing emails that contained a lure subject āWindows OS updatesā and disguised the senders as system administrators. The sender emails were created using the public server @outlook.com and applied the legitimate employee surnames and initials, which lured victims into opening them. The spoofed emails contained fake guidelines written in Ukrainian on how to update Windows to boost protection against cyber attacks along with lure images displaying the proces of a command-line launch and a PowerShell command execution. The latter was intended to launch the PowerShell scenario used to download and execute the next PowerShell script masquerading as the OS update. The subsequent PowerShell scenario was aimed at collecting basic information about the compromised system via the tasklist and syteminfo commands, as well as sending the gained outcomes through an HTTP request to the Mocky API service.
To mitigate the risks of related phishing attacks, cybersecurity researchers recommend restricting the PowerShell launch by users and constantly monitoring network connections to the above-mentioned Mocky API service.
Detecting the Malicious Activity Associated with APT28 Attacks Against Ukraine Covered in CERT-UA#6562
Since the first days of russiaās full-scale invasion of Ukraine, security experts have observed a significant spike in phishing campaigns targeting Ukrainian governmental institutions and businesses. To help organizations timely identify the malicious activity of russia-backed hackers, SOC Prime provides curated detection content addressing adversary TTPs covered in CERT-UA investigations. All detections can be used across dozens of SIEM, EDR, and XDR solutions to help teams tackle the challenge of SIEM migration and time-consuming manual fine-tuning.
Click the Explore Detections button below and explore dedicated Sigma rules detecting the latest campaign by APT28. All the rules are accompanied by relevant metadata, including MITRE ATT&CKĀ® references and CTI links. To simplify the content search, SOC Prime Platform supports filtering by the custom tag āCERT-UA#6562ā and a broader tag āAPT28ā based on the alert and group identifiers.
Cyber defenders can also automate their threat hunting activities by searching for indicators of compromise (IoCs) associated with the latest APT28 campaign against Ukrainian government bodies using Uncoder.IO. Just paste the file, host, or network IOCs provided by CERT-UA into the tool and select the content type of your target query to instantly create performance-optimized IOC queries ready to run in the chosen environment.
MITRE ATT&CK Context
To delve into the in-depth context behind the malicious campaign by APT28 in the latest April CERT-UA alert, all above-referenced Sigma rules are tagged with ATT&CK v12 addressing the relevant tactics and techniques:
