Russian hacker group targets Ukraine’s government with new phishing campaign

Russian hackers have been targeting Ukrainian government agencies with malicious emails containing fake instructions on how to protect devices from cyberattacks, Ukraine’s cyber agency reported over the weekend.

The computer emergency response team (CERT-UA) attributed the attack to the Russian state-sponsored hacker group Fancy Bear, also known as APT28. The group is responsible for the attack on the U.S. Democratic National Committee during the 2016 elections and the breach of the World Anti-Doping Agency.

Throughout the war, Fancy Bear has conducted phishing attacks on Ukraine and NATO countries. Earlier in April, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory spotlighting Fancy Bear’s attacks on unpatched Cisco routers.

The hackers' most recent attack, which took place throughout April, involved sending phishing emails in which they pretended to be system administrators from the government agencies they were targeting.

The emails purportedly provided instructions in the Ukrainian language on updating the Windows system, but in reality they deceived the victims into downloading a PowerShell script.

The goal of the attack, according to CERT-UA, is to extract data from the victims' computers and send it to a web-based service known as Mocky — a legitimate website that allows developers to produce mock application programming interfaces.

CERT-UA recommends that system administrators restrict the ability to launch PowerShell on government computers and monitor network connections to the Mocky service.

Back in April, Ukraine's State Special Communications Service (SSSCIP) issued a report stating that Russian cyberattacks on local financial services, the defense industry, and the government had declined considerably since the beginning of 2023. However, the frequency of cyberattacks on the energy and media sectors remains high.

There have previously been lulls in Russian hacking activity, such as during the summer of 2022 when they appear to have been gearing up for more intense attacks on the Ukrainian energy infrastructure.

“There is no fundamental reason to believe that the downward trend in the number of cyberattacks targeting Ukrainian organizations of various forms of ownership and industries will continue,” SSSCIP said.