Since the Russian invasion of Ukraine began, the latter has been under continuous cyberattacks by various threat actors looking to make quick bucks or cause disruption. The Ukraine CERT warned against such campaigns targeting the government via IcedID malware and leveraging Zimbra exploits. 

Diving into details

  • The social engineering campaign has been attributed to the UAC-0041 threat cluster. It starts with an email with a Microsoft Excel attachment that, once opened, urges the target to enable macros.
  • The downloaded EXE file decrypts and runs GzipLoader which downloads and installs the IcedID malware.
  • In another campaign led by the new UAC-0097 threat group, the email includes several attachments with a "Content Location" header. The header points toward a remote server hosting JS code that activates a cross-site scripting vulnerability in Zimbra. The flaw is tracked as CVE-2018-6882.
  • The malicious JS code forwards victims’ emails to an email address controlled by the attackers, as part of a cyberespionage campaign.

Why this matters

The targeted intrusions are a part of hostile activities against the nation since the year started. As per CERT-UA, the country has suffered 362 cyberattacks since the invasion. In both the campaigns, the aim of the threat actors is to gain access to internal networks to spy on Ukraine’s most critical government entities.

Other cyberattacks against Ukraine

  • Russia-based Sandworm APT was found disrupting electricity supplies in Ukraine by attacking electric transformers. The group used a new variant of Industroyer, dubbed Industroyer-2, along with CaddyWiper, OrcShred, SoloShred, and AwfulShred.
  • Earlier this month, the CERT-UA issued an advisory against the Russia-based Armageddon group. The threat actor had launched phishing campaigns to target Ukrainian organizations, EU government agencies, and the Latvian government.
  • In another campaign, the SaintBear threat group targeted multiple Ukrainian entities with macro-embedded Excel documents.

The bottom line

It would be safe to say that this year, so far, has been one of high-profile hacks and cyber conflict, and Ukraine seems to be suffering a lot under the hands of threat actors. CERT-UA has been issuing advisories against these threats and hence, organizations and individuals are advised to follow the recommendations provided. As war rages in Ukraine, cybercriminals will wage more attacks against critical sectors. Stay aware, stay safe.

Cyware Publisher