Security researchers say they recently observed a Russian hacking crew, behind the destructive WhisperGate malware cyber-attacks, targeting Ukrainian entities with a new information-stealing malware.
Symantec’s Threat Hunter team has attributed this campaign to a Russian-affiliated cyber threat actor, commonly known as TA471 (or UAC-0056), who has been active since early 2021. The group is known in support of the interests of the Russian government, and while focusing primarily on Ukraine, the group has also been active against NATO member states in North America and Europe. TA471 has been associated with WhisperGate, a destructive data-wiping malware that was used in multiple cyber-attacks against Ukrainian targets in January 2022. The malware masquerades as ransomware, but renders the targeted devices completely useless and unable to be able to recover files even if a ransom is demanded. .
According to Symantec, the hacking crew’s latest campaign is based on previously unseen information-stealing malware it calls “Graphiron” and targets Ukrainian organizations. The malware was used from October 2022 to at least mid-January 2023 to steal data from infected machines, according to the researchers it is reasonable to assume that it will continue to be part of the [hackers’] tool box.”
The information-stealing malware uses file names designed to impersonate legitimate Microsoft Office files and is similar to other TA471 tools, such as GraphSteel and GrimPlant, which were previously used as part of a spear-phishing campaign specifically targeting Ukrainian government agencies. But Symantec says Graphiron is designed to exfiltrate much more data, including screenshots and SSH private keys.
“That information can be useful in itself from an intelligence perspective, or it can be used to penetrate deeper into the targeted organization or launch destructive attacks,” said Symantec Threat Hunter principal intelligence analyst Dick O’Brien. Team, to businessroundups.org.
O’Brien said that while little is known about the hacking crew’s origins or strategy, TA471 has become one of the key players in Russia’s ongoing cyber campaigns against Ukraine.
News of TA471’s latest espionage campaign comes days after the Ukrainian government sounded the alarm on another Russian state-sponsored hacking group called UAC-0010, which continues to carry out frequent cyber-attack campaigns against Ukrainian organizations.
“Despite using mainly repeated sets of techniques and procedures, adversaries are slowly but surely evolving their tactics and redeveloping used malware variants to remain unnoticed,” said the State Center for Cyber Protection of Ukraine. “That’s why it remains one of the top cyber threats facing organizations in our country.”