APT28, a hacker group linked to Russian intelligence agencies, is attacking Ukrainian government institutions.
The attackers use a multi-stage chain that begins with sending malicious documents via the Signal messenger. Ukraine’s national cyber incident response team CERT-UA is recording new cyberattacks on government bodies.
The attack aims to gain remote access to computers for espionage and data theft.
How does it work?
- The attack starts when the attacker, well-informed about the target, sends a Microsoft Word document (e.g., "Act.doc") with an embedded macro via Signal.
- Once the document is opened and the macro is activated, a hidden infection mechanism runs on the computer, embedding malicious code into the system.
- Next, a component of the hacker framework COVENANT activates in the computer’s memory. It uses the API of the legitimate cloud service Koofr to receive commands from the attackers.
- Through COVENANT, the main spyware backdoor BEARDSHELL is downloaded and launched on the computer. This software gives hackers full control over the infected device.
CERT-UA links this activity to the hacker group UAC-0001 (APT28), which is controlled by Russian intelligence services.
