New Russian info-stealer attacks target Ukraine.
February 9th, 2023 - Written By CyberLabs
Security experts have seen a Russian hacking organization, which was responsible for the catastrophic WhisperGate virus intrusions, directing a new information-stealing malware at Ukrainian targets. This campaign has been traced to TA471 (also known as UAC-0056), a cyberthreat actor with ties to Russia that has been active since early 2021, as per the report by Symantec’s Threat Hunter Team.
Although it primarily targets Ukraine, the group has also been active against NATO member states in North America and Europe, the group is known to support the goals of the Russian government.
The destructive data-wiping software WhisperGate, which was employed in many cyberattacks against Ukrainian targets in January 2022, has been connected to TA471. Although the software poses as ransomware, it completely disables targeted machines and prevents file recovery even if a ransom demand is met.
“The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files.” Said Symantec
The hacker group’s most recent attack, which targets Ukrainian organizations, makes use of previously undiscovered information-stealing software they dubbed “Graphiron.” According to the researchers, the malware was used to steal data from affected PCs between October 2022 and at least mid-January 2023, making it plausible to believe that it is still in [hackers’] toolkits.
The information-stealing malware is similar to other TA471 tools, including GraphSteel and GrimPlant, which were previously employed as part of a spear-phishing effort expressly aimed at Ukrainian state bodies. It employs file names intended to pass for genuine Microsoft Office files. However, according to Symantec, Graphiron is made to steal much more information, such as secret SSH keys and screenshots.
Days prior to the discovery of TA471’s most recent spying operation, the Ukrainian government had alerted the world to another state-sponsored hacker organization, known as UAC-0010, which was still engaged in regular cyberattack attacks against Ukrainian companies.
Source
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
- https://thehackernews.com/2023/02/russian-hackers-using-graphiron-malware.html
