Getty Images
Pro-Russian threat actors are continuing their relentless pursuit of Ukrainian targets, with a variety of campaigns that include fake Android apps, hacking attacks that exploit critical vulnerabilities and email phishing attacks that try to harvest login credentials, Google researchers said.
One of the more recent campaigns came from Turla, a Russian-speaking advanced persistent threat actor that has been active since at least 1997 and is among the most technically sophisticated in the world. According to Google, the group targeted pro-Ukrainian volunteers with Android apps that served as launching pads to carry out denial-of-service attacks against Russian websites.
“All you need to do to start the process is to install the app, open it and press start,” claimed the fake website promoting the app. “The app immediately starts sending requests to the Russian websites to overwhelm their resources and cause a denial of service.”
In fact, said a researcher with Google’s threat analysis group, the app sends a single GET request to a target website. Behind the scenes, another Google researcher told Vice that the app was designed to map the user’s internet infrastructure and “find out where the people who are potentially carrying out these types of attacks are.”
The apps, located on a domain impersonating the Ukrainian Azov Regiment, mimicked another Android app Google first spotted in March that also claimed to carry out DoS attacks against Russian websites. Unlike the Turla apps, stopwar.apk, as the latter app was called, sent a continuous stream of requests until the user stopped them.
“Based on our analysis, we believe the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what the Turla actors based their fake CyberAzov DoS app on,” wrote Google researcher Billy Leonard.
Other hacker groups sponsored by the Kremlin have also targeted Ukrainian groups. Campaigns included the exploitation of Follina, the name given to a critical vulnerability in all supported versions of Windows that was actively targeted in the wild for more than two months as a zero-day.
Google researchers confirmed a CERT-UA report from June that said another Kremlin-sponsored hacker group — tracked under a variety of names including Fancy Bear, known as Pawn Storm, Sofacy Group and APT28 — also exploited Follina in an attempt to infect targets malware known as CredoMap. In addition, Google said Sandworm – another group sponsored by the Russian government – also exploited Follina. That campaign used compromised government accounts to send links to Microsoft Office documents on compromised domains, primarily targeting media organizations in Ukraine.
CERT-UA
Security firm Palo Alto Networks, meanwhile, reported Tuesday that Russia’s hacking group Cloaked Ursa (also known as APT29, Nobelium and Cozy Bear) had also stepped up malware attacks since the start of Russia’s invasion of Ukraine, in part by making malicious files available for download on Dropbox and Google Drive. US and British intelligence agencies have publicly attributed APT29 to Russia’s Foreign Intelligence Service (SVR).
“This is in line with the group’s historical targeting focus, which dates back to malware campaigns against Chechnya and other former Soviet bloc countries in 2008,” wrote Palo Alto Networks researchers Mike Harbison and Peter Renals. More recently, APT29 has been linked to a hack of the US Democratic National Committee discovered in 2016 and the SolarWinds supply chain attack from 2020.
Not all threat groups targeting Ukraine are Kremlin-sponsored, Google said. Recently, a financially motivated actor impersonated the track as UAC-0098 Ukraine’s State Tax Service and delivered malicious documents attempting to exploit Follina. Google said the actor is a former initial ransomware access broker who previously worked with the Conti ransomware group.
On Wednesday, US Cyber Command shared technical details related to what the agency said are several types of malware targeting Ukrainian devices in recent months. The malware samples are available on VirusTotal, Pastebin and GitHub. Security firm Mandiant said two separate espionage groups used the malware, one tracked as UNC1151 and attributed by Mandiant to the Belarusian government and the other tracked as UNC2589, which the firm said is “believed to be acting in support of Russian government interests and has conducted extensive espionage collection in Ukraine.”
The European Union also called out the Russian government this week, noting that a recently deployed denial-of-service campaign was just the latest example of cyberattacks it launched since the invasion.
“Russia’s unprovoked and unwarranted military aggression against Ukraine has been accompanied by a significant increase in malicious cyber activities, including by a striking and worrying number of hackers and hacker groups indiscriminately targeting essential entities globally,” EU officials wrote. “This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillovers, misinterpretations and possible escalation.”
