Government entities in Ukraine, including its military departments, were targeted with a spearphishing email campaign intended to conduct cyber-espionage early this year, according to a new report out Tuesday from FireEye.
The malware and infrastructure from the campaign suggests the group behind the attack may have been active as early as 2014, and that it’s linked with the self-proclaimed Luhansk People’s Republic, a group that declared independence from Ukraine in 2014 with backing from Russia’s military.
This year’s campaign shows the group is becoming increasingly sophisticated with its tactics. For instance, one of the malicious files was disguised as an executable .LNK file, which can leverage legitimate apps, such as Microsoft Windows configuration management framework PowerShell, to download malware. This suggests attackers wanted to go unnoticed, since PowerShell hacks are blended into a trusted process that antivirus software usually doesn’t detect.
“It’s really becoming mainstream to a point where a lot of cybersecurity capabilities cannot see this type of attack happening and thus they can’t stop it or suppress it,” Tom Kellermann, Carbon Black’s Chief Cybersecurity Officer, told CyberScoop. “This type of attack methodology is very difficult for traditional antivirus players and traditional network security players to stop.”
Previous campaigns from this group have been less sophisticated, and leveraged just standalone executables or self-extracting .RAR files.
The actors behind the spearphishing are “essentially upgrading their social engineering which makes it easier to get somebody to click on something malicious,” John Hultquist, FireEye’s director of intelligence analysis and one of the researchers behind the report, told CyberScoop. “This shows that development over time where they’ve [wised] up. That sort of progress usually comes from a concerted effort … to improve their ability to get their targets to click on things.”
In an effort to trick Ukrainian government officials, attackers tried impersonating Amtrac, a legitimate defense manufacturer from the U.K. And yet, the hackers made a mistake; they attempted to disguise the .LNK file as a PDF, but used a Microsoft Word icon to represent the file.
Although it’s unclear at this time whether the actors were successful in pilfering data or credentials, Hultquist says he wouldn’t be surprised if they were successful.
“One of the reasons this [group] has been able to carry this on is they have a really small really narrow target base,” he said. “A lot of espionage campaigns are global or regional or they’re going after a lot of different targets, whereas this group is pretty focused on Ukraine which separates them from a lot of others. That limitation sort of allows them to … specialize and improve.”
Ukraine has been on the receiving end of similar campaigns in years past, primarily because Russia often uses the country as a testing ground for its hacking operations. At this time, however, FireEye has not made a direct connection between Russia and this spearphishing campaigns.
“Luhansk the area is officially occupied by Russian forces and Russian proxies but we’ve not seen any connections,” Hultquist said. “The best that we can tell is that this is a capability that is owned and is directed by this upstart, unrecognized government.”
FireEye reports more evidence would be needed to confirm attribution to the Luhansk People’s Republic, however. Moving forward, the company is working with possible targets in Ukraine and will be keeping an eye out for similar malware, Hultquist said.
“The implication is that … there’s no question that sub-state actors are capable of doing this. You don’t have to be a nation with a ton of resources to carry out cyber-espionage,” Hultquist said. “What this really proves is that states aren’t the only players here. There are other sort of quasi-states which can participate, possibly even terrorist organizations.”