Suspected Ukrainian hackers impersonating Russian ministries to spy on industry
A suspected Ukraine-linked hacker group is targeting Russian scientific and industrial enterprises in a new cyber-espionage campaign, researchers have found.
Russian cybersecurity firm F.A.C.C.T. intercepted fraudulent emails purportedly from Russia's Ministry of Industry and Trade. These emails, described in a report released Wednesday by the firm, instructed local defense industry companies to place orders with correctional facilities and suggested collaborating with prisoners who have a mechanical and engineering background.
The emails contained a malicious archive with an executable file that, once opened, delivered a known remote access malware called Ozone, which could grant attackers access to the compromised devices.
F.A.C.C.T. attributed this campaign to a suspected pro-Ukraine threat actor tracked as Sticky Werewolf. This group primarily targets government agencies, research institutes, and industrial enterprises in Russia, Poland, and Belarus, the researchers said. The group’s toolkit includes Darktrack and Ozone remote access trojans, as well as Glory Stealer and MetaStealer malware.
According to previous reports, Sticky Werewolf is one of the most active nation-state threat actors attacking Russia. Kyiv has never publicly admitted its connection to the group, and most of the research about its activity has been conducted by Russian cybersecurity firms.
However, a report by Israel-based cyber company Morphisec said the geopolitical context suggests the threat actor’s possible links to a pro-Ukrainian cyberespionage or hacktivist group, adding that this attribution "remains uncertain."
It is not clear how successful Sticky Werewolf’s latest campaign was. F.A.C.C.T. said the attacks started “after the New Year holidays,” and the researchers discovered one of the phishing emails as recently as this week.
Sticky Werewolf has previously employed similar tactics in attacks on Russian enterprises. Last year, the hackers targeted a local pharmaceutical company with a malicious email disguised as a decree from the Russian Ministry of Emergency Situations. Prior to that, Sticky Werewolf attacked a Russian research institute focused on microbiology, including vaccine development, with a phishing email sent on behalf of the local Ministry of Construction.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.