Researchers at Mandiant have reported that Ukrainian government entities were breached in targeted attacks where initial access was through trojanized ISO files that disguised themselves as Windows 10 installers. The ISOs were configured to disable security controls and block automatic updates and license verification. Additionally, they contained a scheduled task that was designed to receive commands to be executed via PowerShell. After initial reconnaissance was conducted via these commands, the threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain persistence, transfer files, steal information, and execute further commands.
One of the ISOs pushed in this campaign had been hosted on “toloka[.]to”, a Ukrainian torrent tracker, since May 2022. Additional ISO files were found on other Ukrainian as well as Russian torrent sites. While the initial ISO files were hosted on torrent sites and not specifically targeting the Ukrainian government, after initial reconnaissance the actors performed further, more focused attacks on targets found to be government entities. The threat actor behind this group is being tracked as UNC4166 and its assessed goal is to commit espionage against Ukrainian government networks. While there is no clear attribution at this time, many of the targets in this campaign were previously on the target list of APT28 and overlap with the targets of many GRU clusters, suggesting that this activity is likely a state-backed attack from Russian intelligence.