Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
Due to geopolitical issues, Russia is currently in a tense confrontation with Ukraine and NATO. In addition to the military confrontation, there have also been many cyberattacks against Ukraine in the middle. After the previous attack, Ukraine accused Russia of being behind the attack, but Microsoft, which was helping the investigation at the time, did not complete the source tracing and did not disclose the actual source of the attack. After investigation and source tracing, the Microsoft security team has disclosed a new investigation report, and the hacker group mentioned by Microsoft in the report was already well-known in the industry.
Microsoft named the hacking group discovered by the company using the serial number of the periodic table of elements. Other codenames and names for the ACTINIUM group include DEV-0157 and Gamaredon, which Ukraine says is part of the Russian Security Service.
According to Microsoft researchers, since October 2021, Actinium has carried out multiple destructive attacks against Ukrainian government agencies, public utilities, and private enterprises. The attack method used by the hacking group is spear-phishing emails, which contain malware-laden macros that induce victims to load malware. The latest attack is also markedly different from the previous ones, with hackers masquerading as ransomware but actually maliciously erasing all important data.
Microsoft recently issued an announcement saying that Microsoft Office will be disabled by default from downloading and running macro programs from the Internet to avoid attackers using macros for phishing. It appears that this new security strategy is also related to the attack method used by the Russian hacking group, using macros to induce non-professionals to run malware.
The study found that the spear-phishing attack against Ukraine used macros to deploy several binaries, each with different functions and downloaded malware. The file named PowerPunch is a PowerShell-based downloader and dropper for remotely retrieving the next stage executable and downloading it.
The file named Pterodo is a backdoor with changing functions, with the ability to clean up traces and hide, making it more difficult for security experts to analyze. The file named QuietSieve is a highly obfuscated .NET binary designed for data exfiltration and reconnaissance of the target host for further clues. At present, the relevant hacker organizations are still active, and it is expected that various hacker attacks will not stop until the geopolitical issue is fully understood.