The United States Cyber Command (USCYBERCOM) this week released indicators of compromise (IoCs) associated with malware families identified in recent attacks targeting Ukraine.
The malware samples were found by the Security Service of Ukraine on various compromised networks in the country, which has seen an increase in cyber activity since before the beginning of the Russian invasion in February 2022.
USCYBERCOM has released 20 novel indicators in various formats representing IoCs identified during the analysis of recently identified malware samples, but has not shared further information on the attacks.
“Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations,” USCYBERCOM notes.
According to Mandiant, both public and private entities in the country have been targeted by several cyberespionage groups that used spear phishing with lures claiming urgency to gain access to networks of interest. However, the researchers did not gain visibility into follow-on activities.
“The malware used in these intrusion attempts would enable a wide variety of operations and these groups have previously conducted espionage, information operations and disruptive attacks,” Mandiant notes.
One threat actor targeting Ukraine is UNC1151, which is likely sponsored by Belarus, and which is believed to be offering technical support to the Ghostwriter disinformation campaigns. The group has continued to be highly active since the beginning of the Russian invasion.
Another adversary active in Ukraine is UNC2589, which is likely sponsored by the Russian government, and which is believed to be responsible for the January 2022 Whispergate cyberattacks. Over the past months, the hacking group was also observed targeting NATO member states in North America and Europe.
UNC2589 was seen using spear phishing themes such as Covid-19, government-related lures, the war in Ukraine, and general-purpose themes to deploy malware such as Grimplant – a Go-based backdoor that performs system surveillance and command execution – and Graphsteel – a modified, weaponized version of goLazagne, which can harvest various types of information from the target system.
UNC1151 has been targeting government and media entities in Ukraine, Latvia, Lithuania, Germany, and Poland, but it has focused mainly on Ukraine and Poland since February 2022. The cyberespionage group has been observed using Cobalt Strike Beacon – a backdoor with file transfer and shell command execution capabilities – and Microbackdoor – which can transfer files, execute commands, take screenshots, and update itself.
Related: Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies
Related: Google, EU Warn of Malicious Russian Cyber Activity
Related: Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies