Security researchers say they recently observed a Russian hacking crew, who were behind the devastating cyberattacks with the WhisperGate malware, targeting Ukrainian entities with new information-stealing malware.
Threat Hunter Team by Symantec attributed This campaign points to a cyber threat actor linked to Russia, widely known as TA471 (or UAC-0056), which has been active since early 2021. The group is a favour In support of the interests of the Russian government, and while primarily targeting Ukraine, the group has also been active against NATO member states in North America and Europe. It was TA471 Associated with WhisperGatea destructive data-wiping malware that was used in several cyberattacks against Ukrainian targets in January 2022. The malware masquerades as ransomware, but renders target devices completely inoperable and unable to recover files even if a ransom is paid.
According to Symantec, the hacking crew’s latest campaign relies on previously unseen information-stealing malware dubbed “Graphiron” to target Ukrainian organizations. The malware was used to steal data from infected devices from October 2022 until at least mid-January 2023, according to the researchers, and it’s reasonable to assume it’s still part of the network. [hackers’] tools.”
Information-stealing malware uses file names designed to masquerade as legitimate Microsoft Office files, which is similar to other TA471 tools, such as GraphSteel and GrimPlant, which was previously used as part of a spear phishing campaign specifically targeting Ukrainian government bodies. But Symantec says Graphiron is designed to pull in more data, including screenshots and SSH private keys.
“This information can be useful in itself from an intelligence perspective, or it can be used to penetrate deeper into the target organization or launch devastating attacks,” Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter Team, told TechCrunch.
O’Brien said that while not much is known about the hacking crew’s origin or strategy, TA471 has become one of the key players in Russia’s ongoing cyber campaigns against Ukraine.
News of TA471’s latest spying campaign comes days after the Ukrainian government Sound the alarm On another Russian state-sponsored hacking group, codenamed UAC-0010, which continues to launch frequent cyberattack campaigns against Ukrainian organizations.
“Although mainly using iterative combinations of techniques and procedures, adversaries are slowly but persistently evolving in their tactics and redeveloping malware variants used to remain undetected,” said the Ukrainian state Internet Protection Center. “Therefore, it remains one of the major cyber threats facing organizations in our country.”
