After their network was first compromised by trojanized ISO files pretending to be legitimate Windows 10 installs, the Ukrainian government agencies were targeted for hacking.
The malware was capable of stealing data from computers compromised, installing additional malicious tools and exfiltrating the stolen data to attacker-controlled server.
Toloka[.] hosted one of the ISOs promoted in this campaign. A May 2022 user made the Ukrainian torrent tracker.
The ISO was designed to block the usual security telemetry that a Windows computer sends to Microsoft, and to prevent automatic updates and licensing verification,” . It discovered the attack on Thursday.
“There were no signs of financial motive for intrusions through theft of monetizable data or deployment of ransomware and cryptominers.”
Mandiant discovered several malware-infected devices in the Ukrainian government networks. Mandiant also identified scheduled tasks that were set up mid-July 2022. These tasks are designed to allow Mandiant to get PowerShell commands.
The threat actors used the Sparepart, Beacon and Stowaway backdoors to gain access to compromised computers. They were able to execute commands, move files and steal credentials, keystrokes, and other information.
Trojanized Windows 10 ISOs were distributed through Russian and Ukrainian language torrent file-sharing sites, which is unlike other attacks in which cyber-espionage organizations host payloads on infrastructure.
This supply chain attack on the Ukrainian government has been devastating, but the malware Windows ISO files that were made freely available via torrents have not.
Mandiant said, “We assessed that the threat actor distributed the installers publically and then used an embedded task to determine if the victim should receive additional payloads.”
Although the malware Windows 10 installers weren’t specifically targeted at the Ukrainian government; however, threat actors analysed infected devices to further target those that belonged to government agencies.
The “Targets for interest in the UA government were then carefully selected.” These targets overlap with GRU interests,” Mandiant Threat intelligence VP John Hultquist.
This is not a discussion about attribution. That’s fine. This is a discussion about spy spies. We won’t always be able to get the goods. We can learn from this. This conflict is still very serious, and supply chain incidents remain a major concern. (3/x)
— John Hultquist (@JohnHultquist)
Previous attacks on targets by Russian military hackers
This attack on supply chains was carried out by UNC4166. Its likely purpose is to steal and collect sensitive information from the Ukrainian government networks.
Although there’s no way to know for sure who was responsible, Mandiant security analysts have discovered that these organizations were on APT28 state hackers and had links with Russian military intelligence.
“UNC4166 targets overlap with those organizations that were targeted by the GRU-related clusters and wipers in the beginning of the war.” Mandiant stated.
“UNC4166 had follow-on interactions with organizations which were victims of disruption wiper attacks, and these are organizations we have associated with APT28 ever since the invasion.”
APT28 was operating for Russia’s General Staff Main Intelligence Directorate in 2004. It has been associated with campaigns to target governments around the world, such as a . Also, attacks against both the Democratic Congressional Campaign Committee and the Democratic National Committee in 2016.
Multiple phishing attacks targeting Ukraine’s government and military have been classified as APT28 operations since Russia invaded Ukraine. These were tagged by and .
Mandiant said that trojanized ISOs are a new technique in spying operations. It also includes anti-detection abilities. The operation would have taken a lot of time and resources, and required the ISO to wait to be placed on the network of interest.