Russian hackers reportedly using fake Windows Updates to target Ukrainian government

Ever since the Russian invasion of Ukraine began, Russia has been using all sorts of tactics, including cyber warfare, to tip the scales in its favour. Now, according to security researchers from the Computer Emergency Response Team of Ukraine (CERT-UA), Russian state-sponsored hackers from the APT28 group are targeting Ukrainian government employees with malware disguised as Windows updates to steal vital information.

These attacks involve Russian hackers sending malicious emails that contain instructions on how to update Windows as a defence against cyber attacks. However, instead of providing legitimate instructions, the email contains a PowerShell command that downloads a PowerShell script. This script then simulates a fake Windows update while downloading a second payload in the background, which is a tool that harvests and sends data to a Mocky service API via an HTTP request. Moreover, to make these malicious emails appear more credible, the attackers also created fake @outlook.com email addresses using the real names of system administrators.

In an effort to prevent employees from falling victim to this attack, the CERT-UA has advised all system administrators to restrict the ability to launch PowerShell on critical computers and monitor network traffic for connections to the Mocky service API.

Not the only cyberattack on Ukraine

The war between Russia and Ukraine has been going on for over a year now, and this is not the first time the state-sponsored APT28 group has been linked to cyber attacks on Ukraine. In fact, Google’s Threat Analysis Group recently reported that over 60% of the total cyber-attacks and phishing emails targeting Ukraine originated from Russia, with APT28 behind a significant portion of them.

As the war continues to prolong and Ukraine manages to stand its ground, Russia will likely launch new forms of attacks to weaken Ukraine’s defenses. Therefore, companies and government entities must train their employees to identify and report suspicious emails and keep all software up to date.