APT28 Employs Windows Update Lures to Trick Ukrainian Targets

The Russia-linked APT28 hacking group targeted Ukrainian government bodies in a spear-phishing campaign that uses phony “Windows Update” guides.

In April, CERT-UA observed malicious emails being sent on Microsoft Outlook from what appeared to be system administrators at government bodies — with a subject line that read “Windows Update.” The emails sought to trick the recipients into “launching a command line and executing a PowerShell command.”

Operating out of military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU), the APT28 group has been known to be active since 2007 and has targeted a variety of operations globally, including governments, security organizations, militaries, and the 2016 US presidential election.

“The mentioned command will download a PowerShell script that, simulating the process of updating the operating system, will download and execute the following PowerShell script designed to collect basic information about the computer using the ‘tasklist’, ‘systeminfo’ commands, and send the received results using HTTP request to the Mocky service API,” the CERT-UA alert stated.

Going forward, CERT-UA recommends that organizations placing restrictions on PowerShell use and monitor network connections to the Mocky service API. The NCSC, NSA, CISA, and FBI was also released a joint advisory with information on tactics, techniques, and procedures (TTPs) connected with APT28’s attacks.