Jump to content
  • Ukrainian govt networks breached via trojanized Windows 10 installers

    alf9872000

    • 407 views
    • 3 minutes
     Share


    • 407 views
    • 3 minutes

    Ukrainian government entities were hacked in targeted attacks after their networks were first compromised via trojanized ISO files posing as legitimate Windows 10 installers.

     

    These malicious installers delivered malware capable of collecting data from compromised computers, deploying additional malicious tools, and exfiltrating stolen data to attacker-controlled servers.

     

    One of the ISOs pushed in this campaign was hosted on the toloka[.]to Ukrainian torrent tracker by a user created in May 2022.

     

    "The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification," said cybersecurity firm Mandiant which discovered the attacks on Thursday.

     

    "There was no indication of a financial motivation for the intrusions, either through the theft of monetizable information or the deployment of ransomware or cryptominers."

     

    While analyzing several infected devices on Ukrainian Government networks, Mandiant also spotted scheduled tasks set up in mid-July 2022 and designed to receive commands that would get executed via PowerShell.

     

    After the initial reconnaissance, the threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain access to the compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes.

     

    The trojanized Windows 10 ISOs were distributed via Ukrainian and Russian language torrent file-sharing platforms, unlike similar attacks where cyber-espionage groups host payloads on their infrastructure.

     

    While this supply chain attack has hit the Ukrainian government, the malicious Windows ISO files made available through torrents.

     

    "We assess that the threat actor distributed these installers publicly, and then used an embedded schedule task to determine whether the victim should have further payloads deployed," Mandiant added.

     

    While the malicious Windows 10 installers were not specifically targeting the Ukrainian government, the threat actors analyzed infected devices and performed further, more focused, attacks on those determined to belong to government entities.

     

    "Targets of interest in UA government were then handpicked. Those targets overlap with GRU interests," tweeted Mandiant Threat Intelligence VP John Hultquist.

     

    Targets previously attacked by Russian military hackers

     

    The threat group behind this supply chain attack is being tracked as UNC4166, and its likely goal is to collect and steal sensitive information from Ukrainian government networks.

     

    While there is no clear attribution at the time, Mandiant's security researchers have found that the organizations attacked in this campaign were previously on the target list of APT28 state hackers with links to Russian military intelligence.

     

    "UNC4166's targets overlap with organizations targeted by GRU related clusters with wipers at the outset of the war." Mandiant said.

     

    "The organizations where UNC4166 conducted follow on interactions included organizations that were historically victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the invasion."

     

    APT28 has been operating since at least 2004 on behalf of Russia's General Staff Main Intelligence Directorate (GRU) and has been linked to campaigns targeting governments worldwide, including a 2015 hack of the German federal parliament and attacks against the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016.

     

    Since Russia's invasion of Ukraine started, multiple phishing campaigns targeting the Ukrainian government and military organizations have been tagged as APT28 operations by GoogleMicrosoft, and Ukraine's CERT.

     

    "The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant added.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...