Russia behind a massive spear-phishing campaign that hit Ukraine

Ukraine warned of a “massive” spear-phishing campaign carried out by Russia-linked threat actors against its government and private businesses.

Three Ukrainian cybersecurity agencies (Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine), including the Ukrainian Secret Service, warned last week of a “massive” spear-phishing campaign conducted by Russia-linked hackers against its government and organizations in the private industry.

This is the third massive spear-phishing campaign that the Ukrainian government attributed to Russia-linked threat actors this year.

The phishing messages employed in the operation pose as representatives for the Kyiv Patrol Police Department and warn recipients of problems with the payment of local taxes.

“Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with the sender’s address changed. Messages, in particular, allegedly from the Kyiv Patrol Police Department contained malicious attachments and were sent to the addresses of a number of government agencies.” reads the alert published by the Ukrainian Secret Service.

According to the national CERT, the attackers send messages on behalf of government agencies that use the following statement in their subject: “You didn’t pay taxes. Details in the file… »,« a criminal case has been filed against you. Details in the application… »

The messages use a RAR archive as an attachment and trick victims into opening it. Upon downloading and opening the archive, an EXE file with a double extension, filename.pdf.exe, is dropped on the system.

When the recipient runs the files will install a modified version of RemoteUtilities, a remote administration software. The software connects to command and control servers located in Russia, Germany, and the Netherlands.

The Ukrainian Security Service shared indicators of compromise for this attack on the platform “MISP-UA”.

Below the recommendations by the CERT:

Recommendations:

• Do not download encrypted archives or password archives from the Internet. If necessary, contact the sender to find out if the attachment letter was sent. It is best to block the receipt of such files via e-mail altogether;
• Before you open attachments in emails or messages, pay attention to details. It is best to refrain from downloading email attachments from questionable senders. It should also be alarming if the author has changed the language of communication for unknown reasons, the subject of the letter is not typical for the author, as well as messages that encourage suspicious links or open suspicious files;
• Limit the ability to run executable files;
• Periodically check the system with antivirus and update signature databases;
• Use licensed operating systems and other software that is periodically updated;
• Regularly back up important files;
• Update passwords for access to important systems as often as possible and use two-factor authentication.

In February, the Ukraine ‘s government blamed a Russia-linked APT group for an attack on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB).

According to Ukrainian officials, the hackers aimed at disseminating malicious documents to government agencies.

The SEI EB is used by the Ukrainian government agencies to share documents.

According to Ukraine’s National Security and Defense Council, attackers acted to conduct “the mass contamination of information resources of public authorities.”

In the same period, Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]