Government entities, military organizations, and civilian users in Ukraine and Poland have fallen victim to a series of targeted campaigns aimed at stealing sensitive data and establishing persistent remote access to compromised systems.
These campaigns, spanning from April 2022 to July 2023, employ phishing techniques and deceptive documents to distribute a downloader malware known as PicassoLoader. This serves as a conduit for launching Cobalt Strike Beacon and njRAT, enabling the threat actors to gain control over the infected systems.
Cisco Talos researcher Vanja Svajcer explains that the attacks involve a multi-stage infection chain, typically initiated through malicious Microsoft Office documents, with Excel and PowerPoint files being the most common. These documents are designed to trick victims into enabling macros, which then drop a DLL downloader called PicassoLoader. This downloader retrieves the next-stage payload from an attacker-controlled site, often hidden within a legitimate image file to evade detection.
Some of these activities have been attributed to a threat actor known as GhostWriter (also referred to as UAC-0057 or UNC1151), whose motivations appear to align with those of the Belarusian government.
It is worth noting that certain attacks within this campaign have been previously documented by Ukraine's Computer Emergency Response Team (CERT-UA) and Fortinet FortiGuard Labs. For example, in July 2022, a macro-laden PowerPoint document was used to deliver the Agent Tesla malware.
Meanwhile, CERT-UA has also reported on phishing operations distributing SmokeLoader malware and a smishing attack targeting Telegram accounts. Additionally, they disclosed a cyber espionage campaign that leverages email and instant messengers to distribute malicious files, leading to the execution of PowerShell scripts and the deployment of browser stealers and keyloggers.
Ukraine has attracted the attention of various threat actors, including the Russian state-sponsored group APT28. This group has utilized phishing emails with HTML attachments, prompting recipients to change their passwords for UKR.NET and Yahoo! accounts due to alleged suspicious activities. These emails redirect victims to fake login pages designed to harvest their credentials.
These recent developments coincide with a "standard five-phase playbook" adopted by hackers affiliated with the Russian military intelligence (GRU) for their disruptive operations against Ukraine. This playbook includes leveraging living-on-the-edge infrastructure, conducting reconnaissance using living-off-the-land techniques, limiting malware footprint and evading detection, establishing persistent privileged access via group policy objects (GPO), deploying wipers, and using hacktivist personas on Telegram to telegraph their actions.
In parallel, APT29 (also known as Cloaked Ursa, Cozy Bear, or Midnight Blizzard), attributed to Russia's Foreign Intelligence Service (SVR), has orchestrated a tailored phishing campaign targeting at least 22 diplomatic missions in Ukraine since May 2023. The campaign utilizes vehicle-themed lures, leveraging a flyer originally sent by a diplomat within the Polish Ministry of Foreign Affairs. Clicking on the embedded links in these emails downloads malware that beacons to Dropbox and Microsoft Graph API-based command-and-control servers.
The scale and scope of these operations by Cloaked Ursa is remarkable, given that they typically engage in narrowly-focused and covert APT activities. It is likely that the threat actors repurposed the legitimate advertising flyer after obtaining it through compromised mail servers or other intelligence-gathering methods.
By synthesizing these various reports, it becomes evident that Ukraine and Poland face persistent and highly sophisticated cyber espionage campaigns orchestrated by multiple threat actors with differing motivations, highlighting the critical need for enhanced cybersecurity measures and heightened vigilance in the region.