APT28 Spear-Phishes Ukrainian Critical Energy Facility – Source: www.govinfosecurity.com

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Energy Facility Impeded Attack by Blocking the Launch of the Windows Script Host

Mihir Bagwe (MihirBagwe) •
September 5, 2023    

Ukrainian cyber defenders said Russian military hackers targeted a critical energy infrastructure facility with phishing emails containing a malicious script leading to cyberespionage.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The Computer Emergency Response Team of Ukraine on Monday linked the campaign to APT28, the Russian GRU hacking group also known as Fancy Bear and Forest Blizzard, which was formerly Strontium.

The Russian state hacking group is behind a number of spear-phishing campaigns against Kyiv. U.S. and U.K. authorities earlier this year warned that the group had been exploiting a known vulnerability to deploy malware and access Cisco routers worldwide (see: Ukraine Facing Phishing Attacks, Information Operations).

CERT-UA released the report as Ukrainian forces have reportedly breached the southern first line of Russian defenses.

GRU hackers sent emails with a zip archive containing decoy jpeg files and a batch file named weblinks.cmd. Running the batch file opens decoy webpages and launches a VBS script that executes a .bat file.

The batch file uses the Microsoft Edge browser in headless mode to connect with a URL. A headless browser lacks a graphical user interface and is mainly used for testing or scraping. Attackers also download the Tor anonymity browser onto victim computers in a bid to siphon information through The Onion Router. APT28 also uses a PowerShell script to obtain the hash of the account password of the victim system and transmits it through the SMB protocol.

A cyber defender at the energy facility impeded the attack by blocking access to mockbin.org and mocky.io and stopping the launch of the Windows Script Host, CERT-UA says.