August 12, 2024 at 02:15PM
Impersonating the Security Service of Ukraine, attackers used malicious emails to target government agencies, infecting over 100 computers with AnonVNC malware. The emails included a link to a malicious attachment, and the attacks began in July 2024. This incident adds to a series of cyber attacks targeting Ukraine, including the use of Russian-linked malware.
Key Takeaways from the Meeting Notes:
1. Attackers impersonating the Security Service of Ukraine (SSU) have utilized malicious spam emails to target and compromise systems belonging to the country’s government agencies.
2. The attackers successfully infected over 100 computers with AnonVNC malware, some of which were signed using the code signing certificate of what appears to be a Chinese company (Shenzhen Variable Engine E-commerce Co Ltd).
3. Malicious emails contain a link to an attachment pretending to be a document list required by the SSU, but it actually leads to a Windows installer MSI file from gbshost[.]net designed to deploy malware.
4. CERT-UA has identified more than 100 affected computers, particularly among central and local government bodies, and related cyber attacks have been carried out since at least July 2024 with potential broader geography.
5. Previous cyberattacks in Ukraine have involved malware such as FrostyGoop, CosmicEnergy, and Industroyer2, all linked to Russian threat groups, including the notorious Sandworm Russian military hacking group.
6. Ukraine’s Ministry of Defense has been involved in alleged hacking activities against Russian entities.
These takeaways highlight the ongoing cyber threats targeting Ukraine’s government agencies, with the involvement of malware linked to Russian threat groups and reported retaliatory hacking activities by Ukraine’s Ministry of Defense.