Update, Oct. 29, 2024: This story, originally published Oct. 28, has been updated with news of action taken by Amazon Web Services to seize domains abused by Russian threat actors during the UNC5812 attacks.
The security researchers at Google’s renowned Threat Analysis Group, alongside threat intelligence specialists from Mandiant, have confirmed a suspected Russian espionage and influence dual-pronged attack has been underway against both Android and Windows users. Here’s what we know so far.
What We Know About The UNC5812 Cyber Attack
The UNC5812 cyber attack was discovered by Google TAG and Mandiant during September, 2024, and appears to be a hybrid espionage and influence operation carried out by Russian threat actors. Using a Telegram persona identified as “Civil Defense” the threat intelligence analysts said that the campaign was being used to distribute malware to both Android and Windows users under the guise of a free software provider. The nature of that free software being targeted directly at people looking to find potential military recruiters of conscripts in Ukraine. The distribution channel is both via the malicious civil defense Telegram channel and a similarly named website. It is thought that the activation of the Telegram channel in September signaled when the operation went live, with the website domain having been registered earlier in April.
The malware itself is operating-system specific and is delivered alongside what appears to be a decoy application posing as a mapping tool for the aforementioned recruiting locations. “UNC5812 is also actively engaged in influence activity,” a Google TAG spokesperson said, “delivering narratives and soliciting content intended to undermine support for Ukraine’s mobilization efforts.” It is thought that the UNC5812 threat actors are purchasing promoted posts in legitimate and already established Ukrainian-language Telegram channels in order to further spread the influence operation. It would also appear, according to the threat intelligence, that the operation is still ongoing as a Ukrainian-language news channel promoting the posts was seen as recently as October 8th. “The campaign is probably still actively seeking new Ukrainian-language communities for targeted engagement,” Google TAG researchers said.
Threat Actors Behind Cyber Attack Named As APT29 AKA Midnight Blizzard
Naming the group behind the UNC5812 cyber attack as APT29, a Russian state-sponsored threat actor also known less formally as Midnight Blizzard or Cozy Bear, Amazon has confirmed that it has worked behind the scenes to seize the domains used in this campaign. Formerly the technical analysis lead for computer and network intrusion in the Federal Bureau of Investigation’s Cyber Division and a special agent with the Air Force Office of Special Investigations, CJ Moses is now the chief information security officer at Amazon. Writing on LinkedIn, Moses thanked the cyber threat intelligence teams at both Amazon and CERT-UA for their efforts “to make the internet more secure.” APT29 is not to be confused with APT28, known as Fancy Bear, another Russian state-sponsored attack group also currently engaged in targeted anti-Ukraine cyber attack activity.
The Internet domains used by Midnight Blizzard were identified by Amazon’s threat intelligence teams, building upon the work already done by CERT-UA. Seen targeting potential victims associated with government agencies, enterprises, and militaries, the UNC5812 phishing campaign used Ukrainian language emails in what Amazon said was a significantly broader cyber attack than the normal narrowly targeted approach. “Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not),” Moses said, “but Amazon wasn’t the target, nor was the group after AWS customer credentials.”
Upon the discovery of the domains, Amazon immediately initiated the process of seizing those being abused by the Midnight Blizzard threat actors, impersonating AWS in order to interrupt the operation.
The Aim Of The Russian Espionage Cyber Attack
The aim of the Telegram-driven campaign itself is to persuade victims to navigate to the website where an assortment of malware for both the Android and Windows operating systems can be downloaded. Android users, meanwhile, are targeted with a commercially available backdoor application known as craxstat. Google TAG analysts said that the website itself includes support for both iOS and macOS malware, but neither of these payloads were available during the analysis operation.
So, how do you prevent getting caught up in this latest threat campaign assuming you have been targeted and got as far as the malware distribution phase? Make sure you are using Google Play Protect, Google’s TAG researchers said. The UNC5812 actors have gone to some length to persuade Android users that they should install the app outside of the App Store and its protections, including justifications for an extensive list of user permissions required, mostly to supposedly protect the security and anonymity of the user, ironically.
“UNC5812’s Civil Defense website specifically included social engineering content and detailed video instructions on how the targeted user should turn off Google Play Protect,” Google TAG said, “Safe Browsing also protects Chrome users on Android by showing them warnings before they visit dangerous sites.” Google’s app scanning infrastructure protects Google Play and powers Verify Apps so as to additionally protect users who might get caught up in a cyber attack such as this one with apps installed from outside of Google Play itself.
Read the full article here
