Russia-linked APTs targeted fleeing Ukrainian civilians

Two advanced persistent threat (APT) groups likely linked to the governments of Russia and its puppet state Belarus conducted a phishing campaign that targeted Ukrainian civilians fleeing the illegal shelling of their homes by Russian forces, according to new information released by Mandiant and the US authorities.

The two groups, tracked as UNC1151 and UNC2589 in Mandiant’s database, used lures themed on public safety and humanitarian emergencies in two distinct campaigns.

UNC1151 targeted entities using the subject line “What to do? During artillery shelling by volley fire systems” to deliver Microbackdoor malware, which can manipulate files, execute commands, take screenshots and receive automatic updates.

Meanwhile, UNC2589 – which is thought to have been behind the January 2022 WhisperGate malware attacks on Ukraine – used a document themed on creating an evacuation plan to deliver a version of the RemoteUtils utility, which can download and upload files, remotely execute them and achieve persistence on the target system by creating a startup service.

It is also thought to be delivering two other malwares: Grimplant, a backdoor coded in Go which exfiltrates system information and executes commands relayed back from its command and control (C2) infrastructure; and Graphsteel, an infostealer that seems to be a weaponised version of a public Github project known as goLazagne, which also exfiltrates system information, including browser credentials.

The US Cyber Command’s National Mission Force has published multiple indicators of compromise (IoCs) relating to these campaigns, gathered in collaboration with the Security Service of Ukraine (SBU). These IoCs include as many as 20 novel indicators in various formats.

The SBU has been tracking these campaigns and warned about them previously, alerting users to the possibility that they would be targeted in this way at the end of February.

In an alert published to its Facebook page on 28 February, translated using Google services, the SBU warned that emails allegedly on its behalf about evacuation plans were fake.

“In this way, the aggressor country tries to install virus software on the computers of Ukrainians and collect confidential information,” it said. “We urge you not to open such emails and not to follow the specified links. The SBU did not send any mailings. We inform citizens exclusively through official communication channels.”

Meanwhile, data published earlier in July by Ukraine’s State Cyber Defence Centre (SCPC), a unit within the country’s State Service of Special Communications and Information Protection (SSSCIP), revealed that during the second calendar quarter of 2022, Ukraine detected and processed 19 billion potential cyber events, of which 180,000 were suspicious and 49,000 identified as potential critical events.

The number of registered cyber incidents during Q2 – meaning critical events identified and processed directly by security analysts – was 64, up 60% on Q1.

However, the number of critical security events originating from IP addresses located in Russia actually dropped by more than eight times, likely due to various blocking measures.

The majority of critical events actually originated from IP addresses that were geographically located in the US, although it must be noted that this is no basis for attribution, merely an indication that threat actors are looking for the easiest possible attack pathways to hit their targets.

Indeed, said the SCPC’s report, the majority of registered cyber incidents were related to groups funded by the Russian government, and their main targets were media organisations, and government and local authorities in Ukraine.

In terms of the types of cyber events seen, the vast majority were attempts to deliver malware, mostly trojans, adware or spyware, keyloggers and infostealers, with ransomware less impactful during the period. The most commonly observed malwares used against Ukrainian targets were Agent Tesla, XMRig, Formbook, GuLoader and Cobalt Strike.