Microsoft uncovers new evidence of a Russian hacking campaign targeting Ukraine

Microsoft uncovers new evidence of a Russian hacking campaign targeting Ukraine.

Short News:- 

Over the past six months, Gamaredon has carried out cyber espionage attacks on several Ukrainian entities. Non-governmental organizations (NGO), courts, law enforcement, and non-profit organizations were allegedly the targets of recent attacks. ACTINIUM is the name given to the computer cluster by Microsoft's Threat Intelligence Center (previously DEV-0157). Exfiltration and reconnaissance tools are built into the Pterodo family of malware, which is targeted at a specific host. According to a report from Cisco Talos, Ukraine-based groups are responsible for the defacing and wiper attacks. Last month, the same threat actor targeted a second Western government organization in Ukraine.

Detailed News:- 

Microsoft on Friday revealed more of the Gamaredon hacking group's tactics, techniques, and procedures (TTPs) used to conduct a barrage of cyber espionage attacks on several Ukrainian entities over the past six months.

The attacks are said to have targeted government, military, non-governmental organizations (NGO), judiciary, law enforcement, and non-profit organizations with the primary goal of stealing sensitive information, retaining access, and using it to move into related organizations.

To keep up with its tradition of naming nation-state activities by chemical elements, Microsoft's Threat Intelligence Center (MSTIC) has assigned the cluster of computers the name ACTINIUM (previously DEV-0157).

It was announced by the Ukrainian government in November 2021 that the Russian Federal Security Service (FSB) was behind the operation in Crimea and Sevastopol, Ukraine.

When it comes to emergency response and securing Ukraine's borders, "ACTINIUM has targeted or compromised accounts at organizations critical to coordinating the distribution of international and humanitarian aid to Ukraine," MSTIC researchers stated.

According to a recent report, Gamaredon represents a distinct set of cyberattacks that are unrelated to the recent spate of cyberattacks on the Ukrainian government and corporate entities that used destructive data-wiping malware disguised as ransomware.

In most cases, the attacks begin with phishing emails that contain malware-laden macros that are activated when recipients open rigged documents that contain malicious code.

an interesting tactic is the inclusion of a "web bug" in the body of the phishing message to track if the message has been opened, after which the infection chain initiates a multi-stage process that culminates in the distribution of several binaries, including —

PowerPunch is an executable dropper and downloader written in PowerShell that is used to get the next-stage executables from a remote location.

When it comes to Pterodo's many capabilities and constant evolution, it's hard to say what the future holds.

The data exfiltration and reconnaissance tool QuietSieve is an obfuscated.NET binary designed for the target host.

In addition to stealing data from the compromised host, the QuietSieve malware family is capable of receiving and executing a remote payload from the attacker, as the researchers pointed out, as well as taking screenshots of the compromised host every five minutes.

Another Western government organization in Ukraine was also hit by the same threat actor last month when a malware-laden resume for an open position with the organization was posted on a Ukrainian job portal. State Migration Service (SMS) was also targeted in December 2021.

According to the findings, Cisco Talos, in its ongoing investigation of the January incidents, revealed details of an ongoing disinformation campaign attempting to attribute the defacement and wiper attacks to Ukrainian groups that have been going on for at least 9 months.