Three Ukrainian cybersecurity agencies (Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine), including the Ukrainian Secret Service, warned last week of a “massive” spear-phishing campaign conducted by Russia-linked hackers against its government and organizations in the private industry.
This is the third massive spear-phishing campaign that the Ukrainian government attributed to Russia-linked threat actors this year.
The phishing messages employed in the operation pose as representatives for the Kyiv Patrol Police Department and warn recipients of problems with the payment of local taxes.
“Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with the sender’s address changed. Messages, in particular, allegedly from the Kyiv Patrol Police Department contained malicious attachments and were sent to the addresses of a number of government agencies.” reads the alert published by the Ukrainian Secret Service.
According to the national CERT, the attackers send messages on behalf of government agencies that use the following statement in their subject: “You didn’t pay taxes. Details in the file… »,« a criminal case has been filed against you. Details in the application… »
The messages use a RAR archive as an attachment and trick victims into opening it. Upon downloading and opening the archive, an EXE file with a double extension, filename.pdf.exe, is dropped on the system.
When the recipient runs the files will install a modified version of RemoteUtilities, a remote administration software. The software connects to command and control servers located in Russia, Germany, and the Netherlands.
The Ukrainian Security Service shared indicators of compromise for this attack on the platform “MISP-UA”.
Below the recommendations by the CERT:
In February, the Ukraine ‘s government blamed a Russia-linked APT group for an attack on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB).
According to Ukrainian officials, the hackers aimed at disseminating malicious documents to government agencies.
The SEI EB is used by the Ukrainian government agencies to share documents.
According to Ukraine’s National Security and Defense Council, attackers acted to conduct “the mass contamination of information resources of public authorities.”
In the same period, Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.
(SecurityAffairs – hacking, Ukraine)