Ukrainian CERT thwarts APT28 cyberattack on critical energy infrastructure

September 06, 2023THNCyberattack/Critical Infrastructure

Cyberattack on critical energy infrastructure

Ukraine’s Computer Emergency Response Team (CERT-UA) said on Tuesday it had foiled a cyberattack on unnamed critical energy infrastructure in the country.

The intrusion, according to the agency, began with a phishing email containing a link to a malicious ZIP archive that activates the infection chain.

“Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file ‘weblinks.cmd’ to the victim’s computer”, CERT-UA saidattributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard or FROZENLAKE).

Cyber ​​security

“When a CMD file is executed, several decoy web pages will be opened, .bat and .vbs files will be created and a VBS file will be launched, which in turn will execute the BAT file.”

The next phase of the attack involves running the “whoami” command on the compromised host and exfiltrating the information, as well as downloading the hidden TOR service to route the malicious traffic.

Persistence is achieved by means of a scheduled task and remote command execution is implemented using cURL via a legitimate service called, which was recently revealed to be used by a malicious actor known as Dark Pink.

CERT-UA said the attack ultimately failed due to access to Mocky and Windows Script Host (wscript.exe) has been restricted. It should be noted that APT28 has been linked to the use of Mocky APIs in the past.


Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.

Boost your skills

Disclosure comes in the middle ongoing phishing attacks targeting Ukraine, some of which were observed leveraging an off-the-shelf malware obfuscation engine named ScruptCrypt to distribute AsyncRAT.

Another cyberattack mounted by GhostWriter (aka UAC-0057 or UNC1151) allegedly used a recently revealed zero-day flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike, the agency said.

Did you find this article interesting ? follow us on Twitter And LinkedIn to read more exclusive content we publish.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button