The US Cyber Command releases IOCs for malware used by cyber espionage group targeting Ukraine
The United States Cyber Command (USCYBERCOM) has released indicators of compromise (IOCs) that served as potential intrusion sites on host systems via malware families responsible for recent cyber attacks targeting Ukraine.
The US Cyber Command is one of the eleven unified combatant commands of the US Department of Defense responsible for monitoring and performing cyberspace operations in order to strengthen, integrate and bolster DoD cyberspace space capabilities.
According to the Cyber Command identified malware samples were used to compromise several devices in both government and private sectors in Ukraine in February 2022 prior to the Russian invasion of Ukraine. They released 20 novel indicators in various formats that represent IOCs identified during the malware attack. They said, “Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations.”
Security researchers of Mandiant, the American cybersecurity firm confirmed the activity of several cyber espionage groups targeting Ukrainian systems and said, “The malware used in these intrusion attempts would enable a wide variety of operations and these groups have previously conducted espionage, information operations and disruptive attacks.”
They have identified one threat actor that is associated with cyber espionage activity named UNC1151, which is sponsored by Belarus and offers technical support to Ghostwriter disinformation campaigns, that targeted devices in Lithuania, Latvia, and Poland in 2020 for NATO-related issues and is backed by the Russian threat actors.
Security researchers named another threat actor UNC2589 sponsored directly by the Russian government and responsible for initiating the 2022 Whispergate cyberattacks, involving malware to perform a master boot record wiper where the data can not be recovered once it is compromised. It disguised itself as ransomware but deleted all data during recovery.
Both these attacks purposely targeted nations with NATO association. The UNC2589 deployed malware that used a Go-based backdoor in order to perform system surveillance and command execution. While the cyberespionage group was observed performing a Cobalt Strike Beacon attack by using the same named backdoor to transfer files and command execution.
