Ukraine warns: Russian APT28 hacker group impersonates system administrators to conduct phishing attacks.

Ukraine’s Computer Emergency Response Team (CERT-UA) has recently issued a warning regarding the Russian hacker group APT28, which primarily targets Ukrainian government agencies and businesses. The group employs phishing emails disguised as system administrators to deceive victims into executing PowerShell commands. By doing so, they gain unauthorized access to victims’ computers and engage in stealing confidential information.

This attack method differs slightly from typical phishing email attacks. APT28 organization registers an email account using the actual system administrator’s name from the victim’s organization. The phishing emails appear to be sent by that administrator, making it more convincing for the victims. Once the victim executes PowerShell commands, the attackers conduct reconnaissance on the victim’s computer using commands such as tasklist and systeminfo to gather information about the system. They then send HTTP requests to a specific Mocky API to transmit this information back to the attackers’ end.

CERT-UA advises system administrators to limit the PowerShell functionality on critical computers and monitor connections to the Mocky service for any signs of abnormal traffic. By implementing these measures, even in the event of an attacker threatening the organization’s security, administrators can respond more quickly and effectively, thereby safeguarding the organization from potential threats.

Furthermore, one of the best ways to prevent such attacks is to strengthen user security awareness through training. Organizations should educate users on how to identify and avoid phishing emails, refrain from downloading suspicious files, and emphasize the importance of creating strong passwords and regularly changing them. By bolstering user security awareness, organizations can significantly reduce the success rate of such attacks and safeguard their data and assets.