Belarus threat group in Ukraine ‘bomb alert’ cyberattack

Threat actors linked to Russian ally Belarus took advantage of the attack on Ukraine to launch a barrage of their own, targeting the beleaguered country with phishing emails that played on citizens’ fear of bombardment.

“While the Russian military shelled Ukrainian towns, cyber actors were emailing public and private Ukrainian entities malicious attachments with urgent and timely titles such as ‘What to do during artillery shelling by volley fire systems’ and ‘Evacuation plan,’” said Mandiant, the cyber analyst that released the findings.

The social engineering campaigns that took place in February and March “were designed to gain access to networks of interest” but “the planned follow-on activities remain unclear, should the intrusion attempts have succeeded.” Ukraine’s security service the SBU appears to have intercepted the attacks before they could do any real damage.

The threat group UNC1151, believed by Mandiant to be backed by Belarus, is thought to be responsible, and the cyber-analyst also believes that Russian-affiliated group UNC2589 has been launching similar parallel cyberattacks on Ukraine.

Screenshot of busted fake email intercepted by Ukrainian intelligence

“UNC1151 is a cluster of cyber espionage activity which has links to the Belarusian government,” said Mandiant, adding that it has also provided technical support to the Ghostwriter hacking group that was banned by Meta days after the invasion.

“Though we cannot rule out Russian contributions to either UNC1151 or Ghostwriter activities, we have not yet identified evidence of any collaboration between Russian APTs [advanced persistent threats] and UNC1151,” added Mandiant.

The threat group focuses on government and media targets in Ukraine, Poland, Lithuania, Latvia, and Germany, and has been particularly active in targeting the first two countries since the Russian invasion began on February 24.

Attack method

UNC1151 embedded malware programs Beacon and Microbackdoor in the fake emails sent to victims, who had to click on the dodgy links to activate them, in what appears to have been a classic phishing, or social engineering, attack.

“Beacon is a backdoor written in C/C++ that is part of the Cobalt Strike framework,” explained Mandiant. “Supported backdoor commands include shell command execution, file transfer, file execution, and file management.”

A versatile program, Beacon can capture keystrokes and screenshots, act as a proxy server, and may also be tasked with harvesting credentials, port scanning, and monitoring network systems.

Microbackdoor has been available on data- and expertise-sharing platform GitHub since May 2021, although in this case Mandiant believes UNC1151 modified it to include screenshot functionality. As per the original version, it can upload and download files, execute commands, and update itself.

Meanwhile, suspected Russian group UNC2589 is thought to have been behind cyberttacks launched in March against Ukraine using Grimplant and Graphsteel malware programs.

Grimplant is a “backdoor” attack program that abuses Google settings to gain access to a victim’s machine, which is then taken over by the malicious hacker.

Graphsteel is described by Mandiant as “an infostealer which appears to be a modified, weaponized version of the public Github project goLazagne.” It poaches browser credentials from the target device, relaying these back to the command-and-control server operated by the threat actor.

More from Cybernews:

Russia state actors target Ukraine with malicious Android apps

MIT bets on deep learning to fight cybercrime

Google's new app safety policy is "like the fox guarding the hen house"

AI can see things we can’t – but does that include the future?

Cybercrime group claims to have police insiders across Europe

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked