Pro-Russian threat actors are continuing their pursuit of Ukrainian targets, with an array of campaigns that include fake Android apps, hack attacks exploiting critical vulnerabilities, and emailPhishing attacks that attempt to harvest login credentials, according to researchers from GOOGLE.
Turla is a Russian-speaking advanced persistent threat actor that has been active since 1997 and is among the most technically sophisticated in the world. The group targeted pro-Ukrainian volunteers with apps that pretended to be launch pads for performing denial-of-service attacks against Russian websites.
"All you need to do to start the process is install the app, open it and press start," the fake website said. The app immediately starts sending requests to the Russian websites to overload their resources.
The app sends a single request to a website, according to a researcher with the threat analysis group. The app was designed to map out the user's internet infrastructure and work out where the people that are potentially doing these sorts of attacks are.
The spoof apps were hosted on a domain that mimicked another one that claimed to perform DoS attacks against Russian websites. The stopwar.apk app sent a constant stream of requests until the user stopped them.
Advertisement"Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake Cyber Azov DoS app off of," Billy Leonard wrote.
Other hacking groups sponsored by the Kremlin have also targeted Ukrainian groups. Campaigns included the exploitation of Follina, the name given to a critical vulnerability in all supported versions of Windows that was actively targeted in the wild for more than two months as a zero-day.A CERT-UA report from June said a different Kremlin-sponsored hacking group, known as Pawn Storm, was also exploiting Follina in an attempt to install malicious software on people's computers. Sandworm is one of the groups sponsored by the Russian government. The campaign used compromised government accounts to send links to Microsoft Office documents that were hosted on compromised websites.
Palo Alto Networks said on Tuesday that Russia's Cloaked Ursa hacking group had stepped up their attacks since the start of Russia's invasion of Ukraine. The US and UK intelligence services have blamed the Russian Foreign Intelligence Service.
AdvertisementPalo Alto Networks researchers Mike Harbison and Peter Renals wrote that this was in line with the group's historic targeting focus. The SolarWindows supply-chain attacks from 2020 and the hack of the US Democratic National Committee have been linked to the same group of people.
Not all of the threat groups are sponsored by the Kremlin, according to the search engine. A financially motivated actor impersonated the State Tax Service of Ukraine and delivered malicious documents that tried to exploit Follina. The actor is a former initial ransomware access broker, according to the search engine giant.
According to the US Cyber Command, there are several types of malicious software targeting Ukrainian entities. The samples of the malicious software can be found on a number of websites. According to Mandiant, there are two espionage groups that use the same piece of software, one of which is attributed to the Belarusian government and the other to the Russian government.
The European Union called out the Russian government this week for launching a distributed denial-of-service campaign.
EU officials wrote that "Russia's unprovoked and unwarranted military aggression against Ukraine has been accompanied by a significant increase of malicious cyber activities, including by a striking and concerning number of hackers and hacker groups indiscriminately targeting essential entities around the world." There are unacceptable risks of spillover effects, misinterpretation, and possible escalation due to the increase in malicious cyber activities.