Attackers posing as members of the Security Service of Ukraine (SSU) used malicious spam emails to attack and compromise systems of the country’s government agencies.
On Monday, the Computer Emergency Response Team of Ukraine (CERT-UA) announced that attackers had successfully infected over 100 computers with the AnonVNC malware.
Some examples were signed with the code signing certificate of an apparently Chinese company (Shenzhen Variable Engine E-commerce Co Ltd).
“Good afternoon, in connection with the comprehensive check of a number of organizations, I ask you to submit a list of requested documents to the Main Directorate of the SBU at the address: 01601, Kyiv 1, Malopodvalna Street, 16, by August 15, 2024. Download the official request: Dokumenty.zip,” the malicious emails say, pointing to an attachment pretending to be a list of documents required by the SSU.
These attacks began over a month ago, around July 12, with emails containing hyperlinks to a Documents.zip archive that was supposed to download a Windows installer MSI file from gbshost(.)net instead, which was supposed to deploy the malware.
While CERT-UA does not provide a detailed description of the malware’s capabilities, it does state that it enabled the threat group tracked as UAC-0198 to covertly access the infected computers.
“CERT-UA has identified more than 100 affected computers, particularly at central and local government agencies,” CERT-UA said.
“Note that related cyberattacks have been conducted since at least July 2024 and may have a broader geographic scope.”
Ukraine under attack
Last month, cybersecurity firm Dragos announced that a cyberattack in late January 2024 used Russia-linked malware FrostyGoop to turn off heating in over 600 residential buildings in Lviv, Ukraine, for two days in subzero temperatures.
FrostyGoop is the ninth ICS malware discovered in the wild, many of which are linked to Russian threat groups. Mandiant found CosmicEnergy and ESET discovered Industroyer2, which Sandworm hackers used in a failed attack on a Ukrainian energy company.
In April, CERT-UA also announced that the notorious Russian military hacker group Sandworm had targeted and, in some cases, hacked 20 critical energy, water and heating infrastructure organizations in Ukraine.
In December, Sandworm also hacked into and wiped thousands of systems on the network of Kyivstar, Ukraine’s largest telecommunications service provider. As CERT-UA revealed in October, they have penetrated the networks of a total of eleven Ukrainian telecommunications service providers since May 2023.
The Main Intelligence Directorate (GUR) of the Ukrainian Defense Ministry also claimed that it hacked the Russian Defense Ministry in March, after previously claiming responsibility for attacks on the Russian Center for Space Hydrometeorology, the Russian Air Transport Agency and the Russian Tax Service.
