Three state-sponsored APT groups use Russia- Ukraine war for phishing campaigns
As the conflict between Russia and Ukraine has been escalating, Security Researchers have detected multiple APT campaigns. At least three different advanced persistent threat (APT) groups from across the world have deployed spear-phishing campaigns in mid-March 2022 taking the advantage of ongoing Russo- Ukraine war as a lure to dispense malware and steal sensitive information.
The campaign operated by three APT’s named El Machete, Lyceum, and SideWinder, has targeted a variety of sectors consisting of financial, energy, and government.
According to the Checkpoint research, the locations of victims ranged from South America to the Middle East, malware downloads in the campaign were designed to perform Keylogging and Screenshotting and execute the commands. Many of the lure documents exploit malicious macros or template injection to gain sensitive information about the targeted organizations and then launch malware cyber attacks.
The Advanced persistent threat group El Machete (Spanish-based threat actor first documented in August 2014, by Kaspersky) targeted the financial and Government sectors in Nicaragua and Venezuela with Malevolent macro-laden word documents containing articles on the War. One of the articles titled “Dark plans of the neo-Nazi regime in Ukraine” was written by the Russian ambassador to Nicaragua.
Previously also, In 2017 El Machete targeted 300 unique victims in Latin America. According to the analysis of Cylance SPEAR TEAM, the targets are of high value that consist of intelligence services, military, telecommunications and power providers, embassies, and government institutions.
Kaspersky revealed that the malware used in the cyberattacks was distributed via social engineering techniques that consist of spear-phishing emails and web infections by fake blog websites. Spear phishing emails distributed weaponized PowerPoint presentations that install malware once opened.
A second malicious campaign is operated by Lyceum (an Iranian state-linked group) that deployed a phishing campaign utilizing emails regarding “Russia War crimes in Ukraine” against Israel and Saudi Arabia. One email contained a link to an article from ‘The Guardian’ hosted on the news-spot domain, consisting of malicious documents about the war.
In past also, the two conglomerates Accenture (A multinational professional services company branch in Israel) and Prevalion (Based in the USA) were targeted by the “Lyceum”. This advanced Persistent threat actor operated dozens of malicious cyber attacks between July to October 2021.
Another APT is SideWinder (state-sponsored Hacking group linked to India in past). This threat actor targeted the Pakistani victims lure to the documents from the National Institute of Maritime Affairs of Bahria University (Islamabad). The document titled “Focused Talk on Russian Ukraine Conflict Impact on Pakistan”. The cyberattack employs a weaponized document that exploits the equation editor fault in Microsoft office to dispense an information-stealing malware.
‘Sidewinder APT’ has a history of presenting its own set of malware in an effort to mislead and evade detection against SideCopy (Pakistan hacking Group). Indian Cyber espionage firms like Phronesis, Aglaya, were in news for deploying the same purpose.
Gurugram-based cyber-intelligence firm Phronesis was established by Ram Chander Chillar in 2014. The cyberespionage firm has proficiency in OffSec playground and is presently heading cyph3r (a security operation center founded in 2018). The firm’s insight services are also cherished in UAE for their incorporating intelligence and due diligence capability.
Aglaya is also known as the ‘Srivastava group’ founded by Ankur Srivastava in 2009. The firm offers cyber nukes consisting of distributed-denial-of-service (DDoS) cyber-attacks.
It is a high possibility that the cyberattacks by Sidewinder are run by prominent actors. Maybe Sidewinder belongs to one of the above-mentioned cyber espionage firms.
