I’ll start this story with an example of a phishing attack run by one of the Russian sponsored hacking groups currently involved in the Russian Ukraine conflict. You are not likely to be one of their carefully selected targets but it illustrates how other threat actors operate.
The group is called Gamaredon, (also called Armageddon or UAC-0010, and Shuckworm) and they have been successful against state targets in Ukraine.
Russian hacking group Armageddon increasingly targets Ukrainian state services (therecord.media)
Two very simple techniques are used – phishing and USB drives
The first, and most common, is via electronic communications, email, or a message via WhatApp, Signal, Telegram etc..
The first step in the attack is to get the victim to open an infected attachment, which may look like a Microsoft Office file but is actually an HTM, HTA or LNK file. Once opened a series or PowerShell scripts and malware are executed on the computer. One of the steps in infection is to rewrite the Microsoft Office Templates so they include a malicious macro. Now whenever an unsuspecting user creates a new office file and then shares that document the malware infection is spread.
Another attack vector that has been observed by the Ukraine’s Computer Emergency Response Team (CERT-UA) is the use of an infected USB drives. When these are passed around users, can greatly extend the hacker groups persistence inside a secure network.
The phishing malware
The usual malicious package is a custom data stealer called GammaSteel. This data stealer works fast and targets only specific data – basically getting the good staff out early, before being detected and stopped. Files of a particular extension can be targeted as well as credentials and screen shots of infect machines.
I am not a target for these hackers, why should I worry?
That is a good point however…
The war in Ukraine has now been going on for over a year. I suspect anyone working on a computer inside any organisation in Ukraine is very aware of the potential of a cyber attack and are constantly on the alert when dealing with email or other electronic communications or even just using a USB drive. And yet Gamaredon is having a surge in successes. The social engineering messages and disguised USB drives are working to breakdown the suspicion that must be a part of every Ukrainian’s daily life.
Your Takeaway
Hackers are successful against a highly motivated and suspicious group of users. How successful would an ordinary phishing email be if it is crafted as well as the Gamaredon emails are? What could a fast data stealer steal from you?
Hackers share the techniques that succeed.
Cyber security awareness training is part of the answer. Buy ours or buy someone else’s but get your people trained.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
If you must use portable USB drives, then you must read this…