Russian APT Group Actively Targets Ukrainian Public Offices

A Russian hacking group has upgraded its skills to simultaneously target several thousand Ukrainian government information systems.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

The campaign, which is tied to the Russian hacking group Armageddon, specifically targeted information systems belonging to Ukrainian public offices, the Ukrainian computer Emergency Response Team or CERT-UA said in a Friday alert.

CERT-UA uncovered the campaign after it ran an analysis on threat intelligence data collected by the agency to detect and prevent cyberattacks facing the country linked to the war with Russia.

The agency said the latest Armageddon campaign began with the hackers sending malicious Telegram and WhatsApp messages, which acted as a primary vector. These messages contained the GammaSteel info stealer disguised either as an image or document attachment.

When the malicious file is enabled, the malware, which remains active for 30 to 50 minutes, modifies media files and Microsoft Office Word templates. This allows the variant to infect all documents created in the infected system. It generates 80 to 120 malicious files within a week’s time, CERT-UA said, which allows it to simultaneously infect thousands of systems belonging to various Ukrainian public offices.

The campaign was mainly designed to steal information and gain remote access, which the variant achieves by installing the AnyDesk remote desktop application. The attackers also executed PowerShell commands to exfiltrate cookies, bypass two-factor authentication and avoid detection, CERT-UA added.

CERT-UA recommends limiting the execution of processes such as Windows, command-line and PowerShell scripts to reduce the attack vector tied to Armageddon.

Armageddon, tracked as UAC-0010 by CERT-UA, mainly consists of officers that once worked for the Security Service of Ukraine in Crimea until it became a faction of the Russian intelligence service in 2014. The group is one the most active Russian advanced persistent groups that has actively carried out cyberespionage campaigns against Ukraine since the Russian invasion of the country in February 2022.