A targeted cyberattack known as EastWind has been detected by Kaspersky researchers, aimed at the Russian government and IT organizations [1] [2] [3] [4].
Description
Spear-phishing emails with RAR archive attachments containing a Windows shortcut were used to install malware [2], including Trojans like GrewApacha, CloudSorcerer [1] [2] [3] [4], and the newly discovered PlugY implant. The attackers utilized Dropbox [2], Yandex Cloud [3] [4], and Microsoft Graph for command and control, leading to data collection and exfiltration [3]. DLL side-loading techniques were employed to initiate the infection sequence [3], with communication via GitHub, LiveJournal [2] [3] [4], Quora [2] [3] [4], and other platforms. Additionally, a worm named CMoon was distributed through a watering hole attack on a Russian gas supply website, enabling data theft, remote control [3], and DDoS attacks [3] [4]. The attackers disguised malicious activity within network traffic by using common network services as command servers [2]. Collaboration between APT groups was highlighted, with malware from APT27 and APT31 being involved in the campaign.
Conclusion
The EastWind cyberattack poses significant risks to the Russian government and IT organizations, with potential impacts including data theft, remote control [3], and DDoS attacks [3] [4]. Mitigations such as enhancing email security, monitoring network traffic [2], and updating security protocols are crucial to prevent future attacks. The collaboration between APT groups underscores the need for increased cybersecurity measures and international cooperation to combat sophisticated cyber threats.
References
[1] https://itsecuritywire.com/quick-bytes/a-spear-phishing-campaign-codenamed-eastwind-delivers-a-number-of-backdoors-and-trojans/
[2] https://securityaffairs.com/166924/apt/eastwind-campaign-targets-russian-organizations.html
[3] https://cionews.co.in/plugy-grewapacha-backdoors-installed-via-eastwind/
[4] https://thehackernews.com/2024/08/russian-government-hit-by-eastwind.html
