Posted on February 5, 2023 at 2:08 PM

Russian WhisperGate hackers use data-stealing malware to target Ukraine

Pro-Russian threat actor groups have been ramping up their activities in recent months. Security researchers recently published a report that they had detected a Russian hacking group behind malware attacks being launched by WhisperGate hackers. These malware attacks were targeting institutions in Ukraine to steal sensitive information.

WhisperGate hackers target Ukraine with data-stealing malware

The team from Symantec Threat Hunter has attributed the hacking campaign to a pro-Russian threat actor group known as TA471 or UAC-0056. This hacking group has been actively targeting institutions and individuals since early 2021, and it has been making hacking attacks that align with the goals of the Russian government.

This hacking group primarily targets Ukraine and has also been actively targeting the members of NATO in Europe and North America. The activities done by the TA471 hacking group have also been associated with WhisperGate. The latter is destructive malware that has been used to launch a wide range of cyberattacks that target individuals and institutions in Ukraine. The activities of WhisperGate in Ukraine commenced in January last year.

The malware in question comes as ransomware, where the threat actors seek to extort the targeted victims. Moreover, the threat actors ensured that the targeted devices could not be interoperable and could not access the files. The hackers also have a habit of failing to relinquish control over the target devices despite the ransom being paid.

Symantec researchers have also said that the latest hacking campaign this threat actor group has launched uses the information of an information-stealing malware known as “Graphiron.” The malware is used to target organizations in Ukraine and has been used to steal data from compromised machines starting from October 2022. The malware remained active until mid-January 2023.

The researchers noted that the malware was still part of the hackers’ toolkit. The malware is used to steal information and uses the file names created in the form of legitimate Microsoft Office files. The malware is similar to the other tools used by the TA471 hacking group, including GraphSteel and GrimPlant.

These tools were previously used in spear-phishing campaigns that targeted government institutions in Ukraine. However, a report by Symantec said that Graphiron was designed to exfiltrate more data from the targets. Part of the data that could be accessed using this malware includes screenshots and private SSH keys.

The principal intelligence analyst at the Symantec Threat Hunter Team, Dick O’Brien, commented on this development, saying that the information that was gathered by this hacking group could be used in matters of intelligence. Moreover, the information could also be used to access more information from the targeted institution or to relaunch various destructive attacks.

O’Brien has also said that little is known about this hacking group’s origin and the strategy they are using to conduct their operations. TA471 has become one of the largest cybersecurity threat actor groups used to conduct cybersecurity campaigns against Ukraine. Pro-Russian hacking groups have been actively targeting Ukraine and its Western allies since the war began.

Pro-Russian hackers continue to launch attacks

The latest espionage campaign conducted by TA471 comes a few days after the Ukrainian government issued an alert about a state-sponsored hacking group that is backed by Russia. This hacking group is also known as UAC-0010, and it has continued to conduct a variety of cybersecurity attacks that target organizations based in Ukraine.

The Cyber Protection Center for Ukraine commented on this development saying that hackers were repeatedly changing their attack strategies, which made it hard for organizations to keep abreast with the changes. Therefore, the growing threat of cybersecurity attacks remained a concern because of the sophisticated nature of the attackers.

“Despite using mainly repeated sets of techniques and procedures, adversaries slowly but insistently evolve in their tactics and redevelop used malware variants to stay undetected. Therefore, it remains one of the key cyber threats facing organizations in our country,” said the Cyber Protection Center for Ukraine.

There has been a significant rise in cyberattacks launched by Pro-Russian threat actor groups. Recently hospitals based in the US were targeted by a series of cybersecurity attacks that involved distributed denial-of-service exploits. The exploits are being conducted by another pro-Russian threat actor group that is known as Killnet. Similar DDoS attacks were also launched to target US airlines.