Ukraine foils Russian cyberespionage group’s attack on critical energy facility

CERT-UA claims cybersecurity expert in a critical energy facility thwarted a cyber attack by Fancy Bear.


Ukraine’s computer emergency response team (CERT-UA) has revealed that an attack by a Russia backed cyber espionage group, Fancy Bear or APT28, on a critical energy facility in Ukraine was thwarted by a cybersecurity expert working in that organisation.

CERT-UA reported that Fancy Bear tried to get initial access to the systems of the energy facility by using phishing emails.

The sample phishing email shared by CERT-UA included three images and the message: “Hi! I talked to three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website.”. The archive contained a file in BAT format.

It may be mentioned that BAT files are scripts used in Windows to automate various tasks. If any victim runs a BAT file, it opens into fake web pages which look harmless but are capable to execute a harmful script on the targeted device.

The report mentioned that the hackers installed ToR in the system attacked.

CERT-UA shared that the attack was restricted to certain web resources related to the Mockbin service, which is a tool used for testing and development, and that the facility immediately blocked the use of Windows Script Host. However, CERT-UA has not revealed the name of the targeted facility.