
APT28 attacks Ukrainian government agencies via Signal using malware
The National Cyber Incident Response Team CERT-UA records new cyberattacks on government agencies. To attack systems, attackers use a multi-stage chain that begins with sending malicious documents via the Signal messenger.
The goal of the attacks is to gain remote access to computers for espionage and data theft.
How does it work?
- The attack begins with an attacker, well-informed about his target, sending a Microsoft Word document (for example, "Act.doc") with an embedded macro via Signal.
- After opening the document and activating the macro, a hidden infection mechanism is launched on the computer, and the malicious code is fixed in the system.
- The next step is to activate a component of the COVENANT hacking framework in the computer's memory. It uses the API of the legitimate Koofr cloud service to receive commands from attackers.
- Through COVENANT, the main spyware is downloaded and launched onto the computer - the BEARDSHELL backdoor. This program gives hackers full control over the affected device.
CERT-UA associates this activity with the UAC-0001 (APT28) hacker group, which is controlled by Russian special services.
SSSCIP of Ukraine emphasizes the importance of cyber hygiene. Be vigilant, do not open suspicious files and do not enable macros in documents received even through instant messengers. Please report any suspicious incidents to CERT-UA.
CERT-UA is grateful to all cyber defense entities for their timely information and active participation in the exchange of information, which allows us to respond promptly to such incidents. If you discover any suspicious incidents, please contact CERT-UA immediately: incidents@cert.gov.ua, tel. +38 (044) 281-88-25.
More details are available on the CERT-UA website.