APT28 Spear-Phishes Ukrainian Critical Energy FacilityEnergy Facility Impeded Attack by Blocking the Launch of the Windows Script Host
Ukrainian cyber defenders said Russian military hackers targeted a critical energy infrastructure facility with phishing emails containing a malicious script leading to cyberespionage.
The Russian state hacking group is behind a number of spear-phishing campaigns against Kyiv. U.S. and U.K. authorities earlier this year warned that the group had been exploiting a known vulnerability to deploy malware and access Cisco routers worldwide (see: Ukraine Facing Phishing Attacks, Information Operations).
CERT-UA released the report as Ukrainian forces have reportedly breached the southern first line of Russian defenses.
GRU hackers sent emails with a zip archive containing decoy
jpeg files and a batch file named
weblinks.cmd. Running the batch file opens decoy webpages and launches a VBS script that executes a
The batch file uses the Microsoft Edge browser in headless mode to connect with a URL. A headless browser lacks a graphical user interface and is mainly used for testing or scraping. Attackers also download the Tor anonymity browser onto victim computers in a bid to siphon information through The Onion Router. APT28 also uses a PowerShell script to obtain the hash of the account password of the victim system and transmits it through the SMB protocol.
A cyber defender at the energy facility impeded the attack by blocking access to
mocky.io and stopping the launch of the Windows Script Host, CERT-UA says.