Ukraine’s CERT discloses cyberattack on critical energy infrastructure by APT28 hacker group

The Computer Emergency Response Team of Ukraine (CERT-UA) recorded on Tuesday a targeted cyber attack against a critical energy infrastructure facility in the country. The advisory added that the described activity is carried out by the Russian state-sponsored APT28 hacker group. The agency confirmed that they were able to prevent any intrusion. 

According to a system-generated translation of the CERT-UA advisory, “To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, ‘photo[dot]zip, was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file ‘weblinks[dot]cmd’ to the victim’s computer. Running the CMD file will open several decoy web pages, create ‘[dot]bat’ and ‘[dot]vbs’ files, and launch a VBS file that will in turn execute the BAT file.”

“During the research, a CMD file designed to execute the ‘whoami’ command and transmit the result using an HTTP GET request executed using the Microsoft Edge program in ‘headless’ mode was downloaded to the computer,” the advisory added.

“In the process of controlled emulation of the damage, it was additionally revealed that the TOR program will be downloaded from the file[dot]io file service on the victim’s computer and ‘hidden’ services will be created, designed to redirect information flows through the TOR network to the appropriate hosts of the local computer network, in particular, the controller domain (ports: 445, 389, 3389) and mail server (ports: 443, 445, 3389),” the CERT-UA advisory added. “In addition, a PowerShell script was used to obtain the password hash of the account, which opens a socket and initiates an SMB connection to it using the ‘net use’ command.”

At the same time, remote execution of commands is implemented using ‘curl’ through the API of the legitimate webhook[dot]site service; persistence is ensured by creating scheduled tasks to run a VBS script with a BAT file as an argument.

“By restricting access to the web resources of the Mockbin service (mockbin[dot]org, mocky[dot]io) and blocking the launch of Windows Script Host (in particular, ‘wscript[dot]exe’) on the computer, the responsible employee of the mentioned critical energy infrastructure object managed to prevent a cyber attack,” the CERT-UA advisory said. “Note that in the context of detection and countermeasures, it is advisable to also pay attention to running ‘curl’ and ‘msedge’ with the ‘–headless=new’ option.”

Lastly, the advisory said that “it is obvious that in order to bypass protection means, attackers continue to use the functionality of regular programs (so-called LOLBAS – Living Off The Land Binaries, Scripts and Libraries), and to create a control channel, they abuse the corresponding services.”

Threat intelligence firm Mandiant has disclosed that the APT28’s malware is fairly well known in the cybersecurity community. “APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries, and security organizations that would likely benefit the Russian government,” it added.

Having tracked APT28 hacker group through multiple attacks and intrusions, FireEye has a unique understanding of the group’s motives and techniques, tactics and procedures (TTPs), Mandiant outlined. It has also described several malware samples containing details that indicate that the developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.

In April, lead security agencies in the U.S. and U.K. published a joint Cybersecurity Advisory (CSA) report on the TTPs associated with APT28’s exploitation of Cisco routers. The agencies assess that the APT28 hacker group exploits a known vulnerability to carry out reconnaissance of routers and deploy malware, while also accessing poorly maintained Cisco routers and deploying malware on unpatched devices using CVE-2017-6742.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.