Ukraine Military Targeted With Russian APT PowerShell Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


Ukraine Military Targeted With Russian APT PowerShell Attack


The attack, associated with Shuckworm, employs TTPs observed in prior campaigns against the Ukrainian military, predominantly using PowerShell.



A sophisticated Russian advanced persistent threat (APT) has launched a targeted PowerShell attack campaign against the Ukrainian military.
The attack is most likely perpetrated by
malicious threat actors related to Shuckworm
, a group with a history of campaigns against Ukraine, motivated by geopolitical, espionage, and disruption interests.
The malicious campaign, tracked by Securonix under the name STEADY#URSA, employs a newly discovered SUBTLE-PAWS PowerShell-based backdoor to infiltrate and compromise targeted systems.
This type of backdoor allows threat actors to gain unauthorized access, execute commands, and maintain persistence within compromised systems.
The attack methodology involves the distribution of a malicious payload through compressed files delivered via phishing emails.
Distribution and lateral movement of the malware is carried out through USB drives, thus removing the need to access the network directly.
The report noted that type of approach would be made difficult due to Ukraines air-gapped communications like Starlink.
The campaign exhibits similarities with the Shuckworm malware, and it incorporates distinct tactics, techniques, and procedures (TTPs)
observed in previous cyber campaigns
against the Ukrainian military.
Oleg Kolesnikov, vice president of threat research and data science/AI for Securonix, explains that SUBTLE-PAWS differentiates itself by its fairly exclusive reliance on off-disk/PowerShell stagers for execution, avoiding traditional binary payloads. It also employs additional layers of obfuscation and evasion techniques.
These including encoding, command splitting and registry-based persistence to evade detection among others, he says.
It establishes command and control (C2) by communicating via Telegram with a remote server, using adaptive methods such as DNS queries and HTTP requests with dynamically stored IP addresses.
The malware also employs stealth measures like Base64 and XOR encoding, randomization techniques, and environment sensitivity to enhance its elusive nature.
The targeted entity executes a malicious shortcut (.lnk) file, initiating the loading and execution of a new PowerShell backdoor payload code.
The SUBTLE-PAWS backdoor is embedded within another file contained in the same compressed archive.
Kolesnikov says possible proactive measures can include implementing user education programs to recognize potential exploitation via email, increasing awareness around the use of malicious .lnk payloads on external drives to spread in air-gapped and more compartmentalized environments, and enforcing strict policies and user file decompression to mitigate risks.
To bolster USB drive security, organizations should implement device control policies to restrict unauthorized USB usage and regularly scan removable media for malware using advanced endpoint security solutions, he says.
To enhance log detection coverage, Securonix advised deploying additional process-level logging, such as Sysmon and PowerShell logging.
Organizations should also enforce strict application whitelisting policies [and] implement enhanced email filtering, proper system monitoring, and endpoint detection and response solutions to monitor and block suspicious activity, Kolesnikov says.
The ongoing ground war in Ukraine has been waged in the digital realm as well, with Kyivstar, Ukraines biggest mobile telecom operator,
suffering a cyberattack in December
that wiped out cell service for more than half of Ukraines population.
In June 2023, Microsoft released details of Russian APT
Cadet Blizzard
, thought to be responsible for wiper malware deployed during the weeks leading up to Russias invasion of Ukraine.
Cybersecurity attacks by Russian hacktivist groups — including Joker DPR threat group, thought to be tied to the state — also claimed to have breached the Ukraine militarys battlefield management system DELTA,
revealing real-time troop movements
.
Beyond the conflict in Eastern Europe, threat groups in
Iran
,
Syria
, and
Lebanon
demonstrate the threat of cyberattacks in conflicts across the Middle East. The growing sophistication of these threats indicates state-backed malicious actors are
modernizing their malware
techniques, and multiple threat groups are
banding together
to launch more complex attacks.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ukraine Military Targeted With Russian APT PowerShell Attack