A suspected Russian cyber campaign has been spotted targeting eastern Ukraine, using fake bulletins about the separatist regions of Luhansk and Donetsk as a lure to steal data from unsuspecting victims.
The claim is made by cybersecurity provider Malwarebytes, whose investigative team uncovered attempts by a suspected partisan threat group it codenamed Red Stinger to obtain sensitive data, including screenshots, USB drives, keyboard strokes, and microphone recordings from military, transport, and other critical infrastructure targets in Ukraine.
The latest attack by Red Stinger took place in September during ‘independence’ elections in the Russian separatist regions of Donetsk and Luhansk in eastern Ukraine, as well as Zaporizhzhia and Kherson.
These so-called elections were condemned by Ukraine and the Western-led coalition fighting the Kremlin as bogus.
Curiously, Malwarebytes appears to believe that officers working for the Central Election Commission of the Russian Federation, which oversaw the disputed elections, were also targeted. This could indicate that the Kremlin was keeping close tabs on its own during what it would have regarded as crucial political developments in Ukraine.
The lure used to get the unwary to click on the malicious link contained in the digital booby trap purports to be about policy decisions taken by the “Donetsk People’s Republic,” which most of the international community does not recognize as a sovereign state.
But Malwarebytes believes the threat group has been active since at least 2020, launching similar campaigns around fake policy documents and commentary relating to the disputed breakaway territories, with fake documents dating back to March 2021 about the “Luhansk People’s Republic” also brought to light.
Malwarebytes also cited Kaspersky research that found evidence of similar activities attributed to the same group, albeit under the different moniker Bad Magic. It added that Kaspersky, which itself has been criticized for having ties to the Russian military, also detected the September campaign.
As well as using illegal software such as DBoxShell, malware that employs cloud storage services to carry out hijacking attacks, Red Stingler is also believed to have used legitimate tools such as Dropbox to store and share stolen data, and Ngrok, which allows web developers to deploy applications and expose services to the internet.
Also, not all the targets selected by Red Stinger were in the four breakaway regions of Ukraine. Two were located in Zhytomyr and Vinnytsia in the war-torn country’s central region, a fact that Malwarebytes noted as unusual.
NB: The name of the threat actor has been changed to Red Stinger. A previous version of this article incorrectly named the codename given it by Malwarebytes as Red Stealer.
Your email address will not be published. Required fields are markedmarked