Researchers at Mandiant have reported that Ukrainian government entities were breached in targeted attacks where initial access was through trojanized ISO files that disguised themselves as Windows 10 installers. The ISOs were configured to disable security controls and block automatic updates and license verification. Additionally, they contained a scheduled task that was designed to receive commands to be executed via PowerShell. After initial reconnaissance was conducted via these commands, the threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain persistence, transfer files, steal information, and execute further commands.
One of the ISOs pushed in this campaign had been hosted on “toloka[.]to”, a Ukrainian torrent tracker, since May 2022. Additional ISO files were found on other Ukrainian as well as Russian torrent sites. While the initial ISO files were hosted on torrent sites and not specifically targeting the Ukrainian government, after initial reconnaissance the actors performed further, more focused attacks on targets found to be government entities. The threat actor behind this group is being tracked as UNC4166 and its assessed goal is to commit espionage against Ukrainian government networks. While there is no clear attribution at this time, many of the targets in this campaign were previously on the target list of APT28 and overlap with the targets of many GRU clusters, suggesting that this activity is likely a state-backed attack from Russian intelligence.
In this campaign, the initial access using the trojanized ISO file was facilitated through phishing and relied on human error to infiltrate these organizations. A look back at campaigns over the past year have shown that many threat actors have turned to phishing tactics, likely because a human operator is often one of the weakest points in an organization’s security infrastructure. General recommendations for mitigation of phishing attacks are largely policy and user education based, assuming that an organization already has an commoditized email security solution deployed. In addition, it’d likely be beneficial to educate users on the dangers of not only phishing, but also of using torrented software. It would also likely be beneficial to implement policies against the use of torrents if there is not already such a policy implemented. Security teams can also go a step further and monitor for any suspicious traffic or downloads for popular torrent sites. Further, security teams can monitor ISO files being mounted as well as monitoring for any suspicious scheduled tasks or reconnaissance commands.