A fresh round of cyber assaults aiming at getting access to users’ Telegram accounts has been reported by Ukraine’s technical security and intelligence service.
In an alert, the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine stated that “criminals sent messages with malicious links to the Telegram website in order to gain unauthorised access to the records, including the possibility of transferring a one-time code from SMS.”
The assaults, which have been connected to the “UAC-0094” threat cluster, start with Telegram messages informing recipients that a login had been detected from a new device in Russia and pushing them to authenticate their accounts by clicking on a link.
The URL, which is actually a phishing domain, asks victims for their phone numbers as well as one-time passwords received by SMS, which are subsequently utilised by the threat actors to get access to their accounts.
The method of operation is similar to that of a previous phishing campaign revealed in early March, which used hijacked inboxes belonging to several Indian businesses to send phishing emails to Ukr.net customers in order to hijack their accounts.
War-related email lures were sent to Ukrainian government organisations in another social engineering campaign discovered by Ukraine’s Computer Emergency Response Team (CERT-UA) to deliver espionage malware.
The emails contain an HTML file attachment (“War Criminals of the Russian Federation.htm”), which when opened causes a PowerShell-based implant to be downloaded and executed on the affected computer.
Armageddon, a Russia-based threat actor with links to the Federal Security Service (FSB), was blamed for the assault by CERT-UA. Armageddon has been targeting Ukrainian institutions since at least 2013.
The hacking group was linked to espionage strikes against the government, military, non-government organisations (NGO), judiciary, law enforcement, and non-profit organisations in February 2022, with the purpose of exfiltrating sensitive information.
Armageddon, also known as Gamaredon, is thought to have targeted Latvian government officials in a related phishing campaign around the end of March 2022, using war-themed RAR files to transmit malware.
GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, as well as a Ghostwriter-led operation to install the Cobalt Strike post-exploitation framework, have all been used in other phishing operations recorded by CERT-UA in recent weeks.
According to SentinelOne, the GrimPlant and GraphSteel attacks, which are linked to a threat actor known as UAC-0056 (aka SaintBear, UNC2589, TA471), began in early February 2022. The payloads are pernicious binaries designed to conduct reconnaissance, credential harvesting, and run arbitrary commands.
SaintBear is also suspected of being behind the WhisperGate activities that impacted government offices in Ukraine in early January 2022, as well as constructing the infrastructure for the GrimPlant and GraphSteel campaigns that began in December 2021.
Last week, Malwarebytes Labs linked the hacker group to a new wave of late-March assaults on Ukrainian companies, including a private TV channel called ICTV, that used a spear-phishing trap with macro-embedded Excel sheets to spread the GrimPlant backdoor (aka Elephant Implant).
Several advanced persistent threat (APT) organisations from Iran, China, North Korea, and Russia have used the continuing Russian-Ukrainian conflict as a pretext to backdoor target networks and perform other malicious actions.