Ukrainian government entities were hacked in targeted attacks after their networks were first compromised via trojanized ISO files posing as legitimate Windows 10 installers.
These malicious installers delivered malware capable of collecting data from compromised computers, deploying additional malicious tools, and exfiltrating stolen data to attacker-controlled servers.
One of the ISOs pushed in this campaign was hosted on the toloka[.]to Ukrainian torrent tracker by a user created in May 2022.
“The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification,” said cybersecurity firm Mandiant which discovered the attacks on Thursday.
“There was no indication of a financial motivation for the intrusions, either through the theft of monetizable information or the deployment of ransomware or cryptominers.”
While analyzing several infected devices on Ukrainian Government networks, Mandiant also spotted scheduled tasks set up in mid-July 2022 and designed to receive commands that would get executed via PowerShell.
After the initial reconnaissance, the threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain access to the compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes.
The trojanized Windows 10 ISOs were distributed via Ukrainian and Russian language torrent file-sharing platforms, unlike similar attacks where cyber-espionage groups host payloads on their infrastructure.
While this supply chain attack has hit the Ukrainian government, the malicious Windows ISO files made available through torrents
“We assess that the threat actor distributed these installers publicly, and then used an embedded schedule task to determine whether the victim should have further payloads deployed,” Mandiant added.
While the malicious Windows 10 installers were not specifically targeting the Ukrainian government, the threat actors analyzed infected devices and performed further, more focused, attacks on those determined to belong to government entities.
“Targets of interest in UA government were then handpicked. Those targets overlap with GRU interests,” tweeted Mandiant Threat Intelligence VP John Hultquist.
We’re not there on attribution here. That’s fine. We’re talking about spies here (probably) and we won’t always have the goods. That doesn’t mean we can’t take the lesson. Supply chain incidents are serious and still a top concern for this conflict. (3/x)
— John Hultquist (@JohnHultquist) December 15, 2022
Targets previously attacked by Russian military hackers
The threat group behind this supply chain attack is being tracked as UNC4166, and its likely goal is to collect and steal sensitive information from Ukrainian government networks.
While there is no clear attribution at the time, Mandiant’s security researchers have found that the organizations attacked in this campaign were previously on the target list of APT28 state hackers with links to Russian military intelligence.
“UNC4166’s targets overlap with organizations targeted by GRU related clusters with wipers at the outset of the war.” Mandiant said.
“The organizations where UNC4166 conducted follow on interactions included organizations that were historically victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the invasion.”
APT28 has been operating since at least 2004 on behalf of Russia’s General Staff Main Intelligence Directorate (GRU) and has been linked to campaigns targeting governments worldwide, including a 2015 hack of the German federal parliament and attacks against the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016.
Since Russia’s invasion of Ukraine started, multiple phishing campaigns targeting the Ukrainian government and military organizations have been tagged as APT28 operations by Google, Microsoft, and Ukraine’s CERT.
“The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest,” Mandiant added.