New supply chain attack targeted Ukrainian government networks

Hackers have been targeting Ukrainian government networks with a new supply chain attack using fake Windows installers.

According to a report released by Mandiant on Thursday, threat actors tracked as UNC4166 hosted malicious files disguised as legitimate installers for Windows 10 on Ukrainian and Russian-language torrent sites, including Toloka and RuTracker. This is a novel technique in espionage operations, according to Mandiant, which is owned by Google.

The researchers identified several devices within Ukrainian government networks which were infected with malicious files beginning in July.

Once installed, these files dropped malware that spies on its victims and steals their data. The infected files use the Ukrainian language pack and are designed to target Ukrainian users.

Mandiant also discovered additional payloads that were likely deployed following the initial infection, including the STOWAWAY, BEACON, and SPAREPART backdoors, allowing hackers to maintain access to the compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes.

Threat actors also included anti-detection capabilities in their malware. It indicates that they are “security conscious and patient,” as the operation would have required significant time and resources to develop and wait for the malicious files to be installed on the targeted network, according to Mandiant.

Among the victims affected by a supply chain attack are “multiple Ukrainian government organizations,” which were “handpicked,” according to Mandiant’s vice president John Hultquist. The researchers did not specify which agencies were affected and how pirated torrent files got to their computers.

Mandiant doesn’t have enough information to attribute UNC4166 to a sponsor or previously tracked group but said its targets overlap with organizations attacked with wipers early in the war by the group Fancy Bear, which is associated with Russian military intelligence.

Mandiant believes that UNC4166 is entrusted to steal information from the Ukrainian government. There was no indication of financial motivation for the intrusions, researchers said.

Ukrainian cybersecurity officials promised to provide more details about the incident but didn't respond at the time of publication.

Supply-chain attacks have become popular among top-tier, usually nation-state, threat actors. According to Mandiant, hackers turn to them to attack high-value targets, like in the case of the SolarWinds incident, and to gain broad access to targeted networks, as in the NotPetya cyberattack that caused $10 billion worth of damage.

Pro-Russian hackers often use supply chain attacks during the war in Ukraine. “Supply chain incidents are serious and still a top concern for this conflict,” Hultquist said.