Cyberattacks on government agencies: a new multi-level scheme discovered. The State Service of Special Communications and Information Protection of Ukraine reported new targeted cyberattacks on government institutions. This is reported by UNN with reference to the message of the State Special Communications Telegram channel.
Details
The National Cyber Incident Response Team CERT-UA recorded the use of a complex multi-level method of affecting computer systems. As noted, "the attack begins with the attacker, well aware of their target, sending a Microsoft Word document (for example, "Act.doc") via Signal with an embedded macro."
After the user opens the file and activates the macro, a hidden infection process begins.
After opening the document and activating the macro, a hidden infection mechanism is launched on the computer, the malicious code is fixed in the system
At the next stage of the attack, the COVENANT component is activated – a hacker framework that works in the RAM of the infected device. According to CERT-UA, "it uses the API of the legitimate cloud service Koofr to receive commands from attackers."
Then the BEARDSHELL backdoor is downloaded to the system – spyware that provides full remote control over the infected computer.
As noted, "through COVENANT, the main spyware – the BEARDSHELL backdoor – is downloaded and launched on the computer, giving hackers full control over the device."
CERT-UA associates this activity with the UAC-0001 group, also known as APT28, which, according to special services, operates under the control of Russian special services.
Recall
Earlier, Minister of Digital Transformation Mykhailo Fedorov reported that Ukraine faces thousands of cyberattacks every month. Almost all employees of the Ministry of Digital Transformation use specialized AI-based software to counter viruses.
CERT-UA regularly records attempts of cyberattacks on Ukrainian state and critical infrastructures, especially in the context of aggression from Russia.