During a briefing at the Ukraine Media Center, Deputy Head of the National Police, Chief of the Criminal Police Mykhailo Kuznetsov said that since the beginning of the full-scale invasion of the russian federation, Ukrainian cyber police together with other law enforcement agencies repelled and eliminated the consequences of 83 hostile cyber attacks, and also prevented more than 300 cyber attacks that were on stage of preparation
In addition, according to the official, since the beginning of martial law, the cyber police have conducted more than 950 searches.
Cyber police officers also identified more than 1,700 servicemen of the russian federation, who are involved in the commission of war crimes on the territory of Ukraine, and identified more than 850 propagandists of the “russian world”. During the full-scale invasion of the russian federation, the cyber police identified 50 collaborators, 44 of whom have already been notified of suspicion, Kuznetsov added.1
Specialists of the Government Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Service of Special Communication, registered 203 cyber attacks in July. Comparing with the previous period, it can be seen that the number of attacks on representatives of state administration and financial institutions, on which the lives of Ukrainian citizens depend, has increased. 2
CERT-UA also monitors the activity of the UAC-0010 (Armageddon) group.
During the first half of 2022, the main way of implementing the malicious plan is the distribution of HTM-droppers (including UTF-16 encoding) via e-mail (from compromised accounts and to private e-mail addresses) that initiate the chain of delivery of GammaLoad.PS1 to computers victim’s womb
The purpose of attackers, among other things, is to steal files with a specified list of extensions, as well as authentication data of Internet browsers, for which GammaSteel.PS1 and GammaSteel.NET are used, respectively. GammaSteel.PS1 is probably a PowerShell implementation of the previously used HarvesterX.
In addition, one of the attackers’ tactics is to damage the template file C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Templates\Normal.dotm using a macro, the code of which ensures the generation of a URL and its addition to the created document in the form link (so-called “Remote template injection”). This will lead to the infection of all documents created on the computer and their further unintentional distribution by the user.
Typically, scheduled tasks, the Run registry branch, and environment variables are used to ensure persistence and launch payloads. Actively uses PowerShell (powershell.exe), as well as wscript.exe, mshta.exe.3
Senator business center, 32/2, Dukes of Ostrozhsky, Kyiv+38 (050) 428 44 68 (Ukraine), +1 (786) 755 8398 (USA)
© 2023 GLOBAL CYBER COOPERATIVE CENTER (GC3). All rights reserved