Security researchers say they recently observed a Russian hacking team, which was behind the destructive WhisperGate malware cyberattacks, targeting Ukrainian entities with new information-stealing malware.
Symantec’s Threat Hunter team has attributed this campaign targeting a Russia-linked cyber threat actor, widely known as TA471 (or UAC-0056), which has been active since early 2021. The group is acquaintance to support the interests of the Russian government, and while its primary target is Ukraine, the group has also been active against NATO member states in North America and Europe. TA471 has been linked to WhisperGate, a destructive data-wiping malware that was used in multiple cyberattacks against Ukrainian targets in January 2022. The malware masquerades as ransomware, but renders targeted devices completely inoperable and unable to recover files, even if a ransom demand is paid. .
According to Symantec, the hacker team’s latest campaign relies on never-before-seen information-stealing malware it calls “Graphiron” to target Ukrainian organizations. The malware was used to steal data from infected machines from October 2022 to at least mid-January 2023, according to the researchers, which is reasonable to assume is still part of the [hackers’] Toolbox.”
The information-stealing malware uses file names designed to impersonate legitimate Microsoft Office files and is similar to other TA471 tools, such as GraphSteel and GrimPlant, which were previously used as part of a phishing campaign specifically targeting Ukrainian state agencies. But Symantec says that Graphiron is designed to leak much more data, including screenshots and private SSH keys.
“That information could be useful in itself from an intelligence perspective, or it could be used to penetrate deeper into the target organization or launch destructive attacks,” Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter Team, told TechCrunch. .
O’Brien said that while little is known about the origin or strategy of the hacking team, TA471 has become one of the key players in Russia’s ongoing cyber campaigns against Ukraine.
News of TA471’s latest spy campaign comes days after the Ukrainian government The alarm rang in another Russian state-sponsored hacking group, dubbed UAC-0010, which continues to conduct frequent cyber-attack campaigns against Ukrainian organizations.
“Despite mostly using iterative sets of techniques and procedures, adversaries are slowly but insistently evolving their tactics and redeveloping malware variants used to remain unnoticed,” said Ukraine’s State Center for Cyber Protection. “Therefore, it remains one of the key cyber threats facing organizations in our country.”
