APT28 aka UAC-0001 Group Leverages Phishing Emails Disguised As Instructions for OS Updates Targeting Ukrainian State Bodies

UAC-0001 (APT28) Resurfaces

The infamous russian nation-backed hacking collective tracked as APT28 or UAC-0001, which has a history of targeted attacks against Ukrainian government agencies, reemerges in the cyber threat arena. 

The latest CERT-UA#6562 alert confirms that over April 2023, the hacking collective has been leveraging the phishing attack vector to massively distribute spoofed emails among Ukrainian state bodies. Hackers applied the lure subject with the Windows OS updates using a forged sender address, masquerading as the system administrators of the corresponding departments.

APT28 Phishing Attack Analysis Covered in CERT-UA#6562 Alert

On April 28, 2023, CERT-UA researchers released a new alert warning cyber defenders of a massive phishing campaign leveraging email spoofing and targeting Ukrainian state bodies attributed to the russia-linked hacking group known as UAC-0001/UAC-0028 aka APT28 or Fancy Bear APT. In 2022, CERT-UA issued alerts covering the malicious activity of these russian state-sponsored threat actors using similar attack vectors. Almost one year ago, APT28 leveraged email spoofing masquerading their messages as a security heads-up, while in June 2022, threat actors abused the notorious zero-day vulnerability CVE-2022-30190 to spread CredoMap malware via a lure attachment. 

In the most recent CERT-UA#6562 alert, the APT28 hacking collective massively distributed phishing emails that contained a lure subject “Windows OS updates” and disguised the senders as system administrators. The sender emails were created using the public server @outlook.com and applied the legitimate employee surnames and initials, which lured victims into opening them. The spoofed emails contained fake guidelines written in Ukrainian on how to update Windows to boost protection against cyber attacks along with lure images displaying the proces of a command-line launch and a PowerShell command execution. The latter was intended to launch the PowerShell scenario used to download and execute the next PowerShell script masquerading as the OS update. The subsequent PowerShell scenario was aimed at collecting basic information about the compromised system via the tasklist and syteminfo commands, as well as sending the gained outcomes through an HTTP request to the Mocky API service. 

To mitigate the risks of related phishing attacks, cybersecurity researchers recommend restricting the PowerShell launch by users and constantly monitoring network connections to the above-mentioned Mocky API service. 

Detecting the Malicious Activity Associated with APT28 Attacks Against Ukraine Covered in CERT-UA#6562

Since the first days of russia’s full-scale invasion of Ukraine, security experts have observed a significant spike in phishing campaigns targeting Ukrainian governmental institutions and businesses. To help organizations timely identify the malicious activity of russia-backed hackers, SOC Prime provides curated detection content addressing adversary TTPs covered in CERT-UA investigations. All detections can be used across dozens of SIEM, EDR, and XDR solutions to help teams tackle the challenge of SIEM migration and time-consuming manual fine-tuning. 

Click the Explore Detections button below and explore dedicated Sigma rules detecting the latest campaign by APT28. All the rules are accompanied by relevant metadata, including MITRE ATT&CK® references and CTI links. To simplify the content search, SOC Prime Platform supports filtering by the custom tag “CERT-UA#6562” and a broader tag “APT28” based on the alert and group identifiers. 

Explore Detections

Cyber defenders can also automate their threat hunting activities by searching for indicators of compromise (IoCs) associated with the latest APT28 campaign against Ukrainian government bodies using Uncoder.IO. Just paste the file, host, or network IOCs provided by CERT-UA into the tool and select the content type of your target query to instantly create performance-optimized IOC queries ready to run in the chosen environment. 

IOCs from CERT-UA#6562 converted to IOC queries via Uncoder.IO

MITRE ATT&CK Context

To delve into the in-depth context behind the malicious campaign by APT28 in the latest April CERT-UA alert, all above-referenced Sigma rules are tagged with ATT&CK v12 addressing the relevant tactics and techniques: 

Tactics 

Techniques

Sigma Rule

Defense Evasion

Masquerading (T1036)

Persistence

Create or Modify System Process (T1543)

Boot or Logon Autostart Execution (T1547)

Execution

Execution Command and Scripting Interpreter (T1059)

The post APT28 aka UAC-0001 Group Leverages Phishing Emails Disguised As Instructions for OS Updates Targeting Ukrainian State Bodies appeared first on SOC Prime.