APT28’s Cyber Espionage: Targeting Governmental Systems in Ukraine and Poland

APT28 group
Example of a search URI execution

In late 2023, the Ukrainian government computer emergency and incident response team (CERT-UA) revealed a meticulously orchestrated espionage campaign, targeting government organizations across Ukraine and extending its reach to Poland and possibly Azerbaijan. Orchestrated by the notorious APT28 group, this campaign was a masterclass in cyber deception and manipulation.

Also, a cyber campaign targeting government organizations in Ukraine and Poland (potentially Azerbaijan) has come to light, with Harfang Lab discovering additional malicious files and infrastructure. The campaign, which began no later than December 13, 2023, leveraged compromised Ubiquity network devices. While APT28’s involvement remains unclear, Harfang Lab is confident these elements are part of a larger operation.

Utilizing spear-phishing tactics, the attackers lured unsuspecting users to a remote HTML page. The trap was set with a seemingly innocuous Windows shortcut, but in reality, it was a gateway for deploying sinister tools: MASEPIE and OCEANMAP for remote execution, STEELHOOK for credential stealing, and Impacket for reconnaissance and credentials harvesting.

The campaign’s modus operandi involved exploiting compromised email accounts to send phishing emails containing links to malicious web pages. These pages, cleverly designed with blurred document previews, tricked targets into triggering embedded JavaScript. This script not only established connections to an external hostname but also redirected to a URI, setting off a chain of malicious activities.

Example of a search URI execution

The true sophistication of this campaign lay in its use of seemingly legitimate Ubiquity network devices as part of its infrastructure. This clever disguise allowed the attackers to operate under the radar, leveraging compromised devices while maintaining plausible deniability.

“The general sophistication and stealth level of the described toolset and associated activities are quite low, but are a perfect fit to continuously put pressure on Ukraine’s (and supporters’) cyberdefence capabilities, while keeping the investment level reasonable, as well as enabling basic intelligence collection (technical reconnaissance, credentials collection),”  the researcher concluded.

This campaign stands as a stark reminder of the evolving threats in cyberspace, where even the most unsuspecting elements can turn into weapons of cyber warfare. As we navigate this treacherous digital landscape, the need for robust cybersecurity measures and constant vigilance has never been more critical.