Russian hackers caught targeting Ukrainian research organizations

CERT-UA reveals details of a Russian malware campaign supported by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation.

The Ukrainian Computer Emergency Response Team has shared details of a recent hacking campaign targeting Ukrainian research entities.

According to CERT-UA, the hackers – designated UAC-0063 – have ties to the Fancy Bear threat actor, which is itself backed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, still commonly known as the GRU.

The campaign began on July 8 and used a compromised email account to resend a previous email shared on the network with a Word document attached.

However, the attackers replaced the original document with one containing a malicious macro. Running the macro results in the creation of a second document with another macro, which in turn deploys the HATVIBE malware. HATVIBE is designed to deploy more malicious code from the threat actor’s command and control infrastructure.

The last observed step of the campaign was the installation of the CHERRYSPY backdoor.

CERT-UA said Virustotal detected similar macros in a file that appears to have originated in Armenia and was spread via email correspondence “addressed to the Department of Defense Policy of the Ministry of Defense of the Republic of Armenia on behalf of the Department of International Military Cooperation of the Ministry of Defense of the Kyrgyz Republic.”

Further HATVIBE installations were made via a vulnerability in the HFS HTTP file server, most likely CVE-2024-23692.

CERT-US also makes no secret of why the campaign might have been successful.

“The implementation of the cyberattack became possible due to the organization’s systematic neglect of recommendations typical of the current cyberthreat landscape,” CERT-UA said in its advisory (translated by Google).

In particular, CERT-UA reported a lack of multi-factor authentication, poor macro policy, and ordinary users with administrator-level access.

“Any manager and system administrator who enables cyber attacks, the means, tactics, techniques and procedures for their implementation of which have been publicly described on several occasions, contributes to the achievement of the enemy’s objectives,” CERT-UA said.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, working for a range of print and online titles over the course of his career. He enjoys getting his feet wet in cybersecurity, especially when it allows him to talk about Lego.