Ukrainian Government Targeted with Fake Windows Update

By   Olivia William
Writer , Information Security Buzz | May 01, 2023 09:27 am PST

Various government entities in the nation have been the target of cyberattacks by Russian nation-state hackers, all based on the Computer Emergency Response Team of Ukraine (CERT-UA). APT28, also known as Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy, was blamed by the agency for the phishing effort.

The emails have “Windows Update” as their subject line and claim to offer instructions in Ukrainian for running a PowerShell operation under the guise of security updates. When the script is run, a subsequent PowerShell script is created to gather fundamental system information via tasks like tasklist and systeminfoand exfiltrate it using an HTTP request to the loaded and active Mocky API.

The emails used phony Microsoft Outlook email accounts made using the employees’ real names and initials to impersonate system administrators of the targeted government agencies in order to fool the targets into running the command.

CERT-UA advises enterprises to limit individuals’ access to PowerShell script execution and network connection monitoring for the Mocky API. The information was revealed a few weeks after APT28 was linked to assaults that made use of security holes in networking hardware that have since been patched to conduct reconnaissance and launch malware against a limited number of targets.

In a warning released last month, Google’s Threat Analysis Group (TAG) described a credential harvesting operation conducted by the threat actor to divert users of Ukrainian official websites to phishing domains.

The use of a major privilege escalation vulnerability in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in incursions targeting the European government, transportation, energy, and military sectors has also been connected to hacking groups located in Russia.

Additionally, the development coincides with the discovery by Fortinet FortiGuard Labs of a multi-stage phishing attack that uses a Word document laced with macros purportedly from Ukraine’s Energoatom as a lure to deliver the open-source Havoc post-exploitation framework.

According to a study released earlier this year by cybersecurity firm Recorded Future, it is still quite possible that Russian intelligence, military, and law enforcement agencies have a long-standing, implicit understanding with cybercriminal threat actors. In some circumstances, it is essentially known that these organizations have a formalized and organized link with cybercrime threat actors, either through covert collaboration or recruiting.


Russian hackers are sending malicious emails to Ukrainian government agencies with instructions on how to upgrade Windows to protect against cyberattacks. According to CERT-UA. APT28 (aka Fancy Bear), a Russian state-sponsored hacking outfit, sent these emails and impersonated government system administrators to fool their targets, according to CERT-UA. The attackers used genuine employee identities to generate email addresses. Malicious emails tell recipients to use a PowerShell command instead of upgrading Windows.

This command simulates a Windows update by downloading a PowerShell script and a second payload in the background. The second-stage payload is a simple data harvester that leverages the ‘tasklist’ and’systeminfo’ commands to transfer data to a Mocky service API through an HTTP request. CERT-UA advises system administrators to restrict PowerShell on important machines and monitor network traffic for Mocky service API interactions. Google’s Threat Analysis Group found that 60% of phishing emails targeting Ukraine in the first quarter of 2023 were from Russian threat actors, including APT28.

US and UK intelligence services and Cisco warned earlier this month that APT28 was actively exploiting a zero-day hole in Cisco routers to implant ‘Jaguar Tooth’ malware to collect intelligence from US and EU targets. APT28 has exploited an Outlook zero-day vulnerability, CVE-2023-23397, since April 2022 to attack European government, military, energy, and transportation networks. Microsoft patched it in March 2023. Last year, Chinese hackers lured Russian government entities with Windows updates to drop malicious executables.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x