Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Russian state-backed hacking group Fancy Bear linked to malware campaigns in Ukraine

Ukraine cyber security officials have warned that Russian-backed hacking group “Fancy Bear” has conducted two hacking campaigns spreading malware via email.

user iconReporter
Wed, 22 Jun 2022
Russian state-backed hacking group Fancy Bear linked to malware campaigns in Ukraine
expand image

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued alerts about two new hacking campaigns spreading malware via a malicious Microsoft Word document titled "Imposition of penalties" with a fake tax collection document attached, seemingly sent by the State Tax Service of Ukraine. CERT-UA found the harmful document was compiled on 16 June, and when opened, the document is designed to load a Cobalt Strike Beacon, enabling connection to a target system to potentially facilitate malicious activities.

The Cobalt Strike hacking is designed to enable malicious cyber actors to record victims' keystrokes and move through breached machines, according to cyber security researchers.

============
============

The other malicious document circulating warns of nuclear attack threats from Russia. According to CERT-UA, it uses malicious code in a text file that seeks to launch the CredoMap malware.

The activity has been attributed to a group tracked as UAC-0098, according to CERT-UA, which has been blamed for other attacks on Ukrainian entities following the Russian invasion on 24 February this year. UAC-0098 is suspected to be tied to TrickBot, a malware variant associated with various Russian cyber crime groups.

In a statement, Ukraine's State Service of Special Communications and Information Protection revealed that the campaign targeted unspecified critical infrastructure within Ukraine.

"According to the set of characteristic features, we consider it possible to associate the detected activity with the activities of the APT28 group."

"APT28, known widely as Fancy Bear, is a prolific Russian military intelligence hacking crew," the agency stated.

The attack appears to have leveraged on a remote code execution vulnerability tracked as CVE-2022-30190, or "Follina" that would allow an attacker to take control of an affected system.

[Related: Snake Keylogger identified as top malware circulating in Australia]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.