FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Attacks Against Government Entities, Defense Sector, and Human Targets

iocOne
Attacks Against Government Entities, Defense Sector, and Human Targets
This article discusses the ongoing cyber warfare between Russia and Ukraine, highlighting various attacks perpetrated by both sides against government entities, military targets, and human resources. It details significant events, cyber techniques, and implications for future warfare. Affected: Ukrainian Government, Defense Sector, Russian Government, Civilian Targets

Keypoints :

  • Russian XakNet hackers targeted Ukrainian government entities, erasing records from the Ministry of Justice.
  • APT29 executed a watering hole attack targeting Mongolian government websites and mobile devices.
  • KillNet claimed possession of Pegasus spyware for sale, allegedly obtained from a former NSO Group employee.
  • APT28 conducted phishing campaigns impersonating government entities across multiple countries.
  • Core Werewolf group targeted Russian agencies, showcasing adaptability by using various techniques.
  • Pro-Russian groups launched extensive DDoS attacks on Ukraine and allied countries, targeting key sectors.
  • Sticky Werewolf attacked Russian defense enterprises, utilizing sophisticated multi-stage payload delivery methods.
  • APT44 targeted Ukrainian military personnel through a fraudulent Army+ application.
  • Cyber espionage tactics increased against Ukraine’s defense sector, leveraging phishing and malicious links.
  • UNC5812 engaged in influence operations to disrupt Ukrainian military recruitment efforts.
  • Pro-Russian Telegram channels were used for psychological warfare and dissemination of misinformation.
  • Lessons learned emphasize the importance of multi-layered security and collaboration in defense strategies.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Used by APT29 for a watering hole attack against Mongolian government websites.
  • T1073 – Remote Access Software: Utilized by Sticky Werewolf to deploy Ozone backdoor on compromised devices.
  • T1071 – Application Layer Protocol: Leveraged by APT44 to enable communication between the malicious Army+ application and its command and control server.
  • T1189 – Drive-by Compromise: Employed by APT29 exploiting zero-day vulnerabilities on websites.
  • T1203 – Exploitation for Client Execution: Exploited by various APT groups when delivering malicious attachments through phishing.
  • T1091 – Access Token Manipulation: Utilized in various attacks for maintaining persistence and remote access control.
  • T1140 – Deobfuscate/Decode Files or Information: Used during the analysis of phishing emails to disguise malicious intents.

Indicator of Compromise :

  • [IP Address] civildefense[.]com.ua
  • [Domain] nais.gov.ua
  • [Domain] minjust.gov.ua

Full Story: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacks-against-government-entities-defense-sector-and-human-targets/

Views: 35

Tags: TOOL, CVE, BACKDOOR, PERSISTENCE, EXPLOIT, ZERO-DAY, GOVERNMENT, RUSSIA
en en