Researchers have uncovered a new espionage campaign targeting government agencies and organizations operating in Russia-occupied territories of Ukraine.

Attackers used previously unknown malware strains — dubbed CommonMagic and PowerMagic — to steal data from their victims' devices, according to a new report from Kaspersky.

The campaign began in September 2021 and continues to this day. Its targets are located in the Donetsk, Lugansk and Crimea regions that Russia annexed in 2014. According to Kaspersky, government agencies, as well agriculture and transportation organizations, have been targeted.

Given the conflict in that region, it is likely a part of a cyber war between Russia and Ukraine.

The malware and techniques used are not particularly sophisticated but they are effective, the researchers said.

When Kaspersky discovered the infection in October, malicious software had already been installed on the victims' machines, meaning that some of the attacks were successful, security researcher Leonid Besverzhenko told The Record.

So far, Kaspersky hasn’t been able to attribute the campaign to any known threat actor, but Besverzhenko said the investigation is still ongoing.

Common tactics

The attackers distributed malware through phishing emails with a link to a .zip archive hosted on a malicious web server.

This archive contained two files: a document disguised as an official decree — for example about parliamentary elections in Crimea or budget planning in Donetsk — and a malicious .lnk file that, when opened, executed the malware and infected the victim's computer.

In the first stage of the attack, the hackers infected the system with a newly discovered PowerShell-based backdoor dubbed PowerMagic.

All the victims of PowerMagic were also infected with "a more complicated and previously unseen" malicious software that the researchers named CommonMagic.

The attackers likely used the PowerMagic backdoor to install CommonMagic on the targeted devices.

Although the group behind this attack is unknown, its goals are clear: “The attackers were looking to steal data,” Besverzhenko said.

After successfully penetrating the network, hackers could extract documents and files from USB devices and capture a screenshot of the victim's computer every three seconds, according to the research.

Typically, cyberattacks on Ukraine and Russia are carried out by well-known groups, each with their own unique methods. According to Kaspersky, there is no evidence linking the code and data used in this particular campaign to any previously identified group.