Security News Poland says Russian military hackers target its govt networks

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,364
Poland says a state-backed threat group linked to Russia's military intelligence service (GRU) has been targeting Polish government institutions throughout the week.

According to evidence found by CSIRT MON, the country's Computer Security Incident Response Team (led by the Polish Minister of National Defense) and CERT Polska (the Polish computer emergency response team), Russian APT28 state hackers attacked multiple government institutions in a large-scale phishing campaign.

The phishing emails tried tricking the recipients into clicking an embedded link that would provide them with access to more information regarding a "mysterious Ukrainian woman" selling "used underwear" to "senior authorities in Poland and Ukraine."

Once clicked, the link redirected them through multiple websites before landing on a page that downloaded a ZIP archive. The archive contained a malicious executable disguised as a JPG image file and two hidden files: a DLL and a .BAT script.

If the target opens the camouflaged executable file, it loads the DLL via DLL side loading, which runs the hidden script. The script displays a photo of a woman in a swimsuit in the Microsoft Edge browser as a distraction while simultaneously downloading a CMD file and changing its extension to JPG.

"The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts," CERT Polska said.
 
F

ForgottenSeer 109138

It doesn’t necessarily need to be a sophisticated one, as long as it evades detections of the target security system. Sometimes it’s the simple attacks that do the trick.
Govt networks should be hardened to these simple tactics such as those dlls and scripts disabled and those accessing the systems certainly should be trained on social engineering and phishing attempts while using systems tied to such sensitive data and of course should not be using govt systems to gauk at women in underwear.
 
Last edited by a moderator:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Govt networks should be hardened to these simple tactics such as those dlls and scripts disabled and those accessing the systems certainly should be trained
They should be in theory, but in practice it’s not always possible to disable them, sometimes there is software that may require them. It’s also not always possible to train employees, you’ve got new starters that need plenty of other trainings as well, or you train them, they pass with perfect scores and they still don’t know anything.

So could be, would be, should be are fuzzy.
 
F

ForgottenSeer 109138

They should be in theory, but in practice it’s not always possible to disable them, sometimes there is software that may require them. It’s also not always possible to train employees, you’ve got new starters that need plenty of other trainings as well, or you train them, they pass with perfect scores and they still don’t know anything.

So could be, would be, should be are fuzzy.
These are not Walmart employees, they are government workers on systems tied to sensitive data. I have yet to see a system tied to federal that is not locked down and monitored. They do not just let untrained employees loose without supervision, nor would they tolerate employees using their terminals for personal viewing.

I'm not sure what they are doing in Poland but here in the states that wouldn't fly very far. It is why I stated amateur hour in my initial post. Not that the hackers are amateur's but the facility not training or monitoring their employees properly.

These systems usually have set functions per job description on govt networks and can not only be locked down but air gapped as well depending on usage.
 
  • Like
Reactions: Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top