State-sponsored hackers use the Russia-Ukraine war for attack campaigns

Multiple hacker groups took advantage of the conflict in Ukraine to distribute their malware and cyber espionage campaigns

Hackers us Ukraine crisis as the scam lureAPT groups use the Ukraine war situation to attract users attention to their malicious campaigns

Many reports of hacker and malware activities surfaced in the last month, during which Russians invaded Ukraine. These geopolitical tensions are used to the advantage of hackers, and researchers report[1] that many advanced persistent threat groups launch their campaigns adapting to these new tactics of luring people. Attackers target victims with spear-phishing emails[2] and use the conflict or humanitarian help theme as a lure to get users' attention.

These methods of phishing and cyber espionage result in the deployment of serious malware or direct obtaining of sensitive information. Particular groups like SideWinder, Lyceum, El Machete target various sectors like energy, financial, and governmental industries worldwide. Analyzed attacks hit Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan.

Many of the attacks use malicious macro viruses in documents.[3] Initial foothold on the targeted network can get gained via those malicious emails, so once the organization is accessible malware attacks can be launched. These three APT groups used various official-looking documents and direct links to alleged news articles and job offerings, depending on the targeted region. Using conflict in Ukraine as bait helps attackers to lure people from Latin America, Asia, Middle East.

El Machete, Lyceum, SideWinder APT groups

Spanish-speaking threat actor group El Machete released their infection chains in 2014 when macro-laced decoy documents were used. They also started using the remote access trojan named Loki.Rat then. The malware piece is capable of collecting keystrokes, credentials, and data from the clipboard. The malware can also be created with the function of carrying out file operations and executing arbitrary commands.

Iranian APT group Lyceum launched their phishing attacks using the email supposedly including subject lines like “Russian war crimes in Ukraine” to deliver the first stage of the attack chain – droppers. This infection was later used to install a backdoor on the machine that can retrieve files from the remote server.

Check Point researchers analyzed another APT group known as SideWinder. This is the state-sponsored hacker group running an attack with support for Indian politics. These hackers have a strong focus on China and Pakistan. Their attack chains rely on weaponized documents and exploiting the Equation Editor bug in Microsoft Office.[4] This vulnerability helped the hacker group to spread their information-stealing malware.

Multiple researchers report the attacks leveraging war theme

Threat Analysis Group from Google has also issued a report on this issue recently.[5] The report stated that nation-state-backed hackers from Iran, China, North Korea, Russia, and other criminal crews abuse the time of war in the world right now to their advantage. These criminals are mainly financially motivated and rely on phishing campaigns, online extortion, malicious attacks, and malware deployment.

This war affects multiple regions around the world, so the public is attentive and cares about the issue. This theme is a great lure for these attackers. It is expected that the APT threat groups will continue to abuse this crisis to achieve their goals and release new phishing or espionage campaigns.

There are hackers and malicious attackers on different criminal and cruel levels. There were many reports on Russian hackers stopping Ukrainian sites, and hacking pages where the public can provide help or affecting systems related to humanitarian help for the victims of war in Ukraine.[6] There are a lot of scams and people trying to gain from the awful situation in the world. When it comes to donating news sources and messages on social media – check the sources before continuing to read to interact.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions