top of page

CERT-UA Warns of APT28 Phishing Attacks Targeting Government Bodies

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates. Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like tasklist and systeminfo, and exfiltrate the details via an HTTP request to a Mocky API. To trick the targets into running the command, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees' real names and initials. CERT-UA is recommending that organizations restrict users' ability to run PowerShell scripts and monitor network connections to the Mocky API. The disclosure comes weeks after the APT28 was tied to attacks exploiting now-patched security flaws in networking equipment to conduct reconnaissance and deploy malware against select targets. Google's Threat Analysis Group (TAG), in an advisory published last month, detailed a credential harvesting operation carried out by the threat actor to redirect visitors of Ukrainian government websites to phishing domains. This is a serious problem because the Russian government has been caught red-handed trying to perpetrate cyber attacks against the Ukrainian government. This is not the first time that they have done this, and it is becoming a pattern. The Ukrainian government is urging all government organizations to restrict users' ability to run PowerShell scripts and monitor network connections to the Mocky API. This is a good first step, but more needs to be done in order to protect against these types of attacks.


bottom of page