Ukrainian CERT Warns of APT28 Phishing Attacks Disguised as Windows Updates

‍Category: Russia & Ukraine | Industry: Government | Level: Strategic | Source: CERT-UA

According to a recent warning from the Ukrainian Computer Emergency Response Team (CERT-UA), APT28 (aka Fancy Bear) has been initiating phishing attacks disguised as Windows updates against the Ukrainian government. As CERT-UA notes, they "recorded cases of the distribution of e-mails with the topic 'Windows Update' among state bodies of Ukraine, sent, apparently, on behalf of system administrators of departments. At the same time, e-mail addresses of senders created on the public service '@outlook[.]com' can be formed using the employee's real surname and initials." The goal of the campaign is to collect system information of the compromise host with a PowerShell script and exfiltrate the data to the Mocky service.

‍