According to security researchers, a Russian hacking group, which was responsible for the destructive WhisperGate malware cyberattacks, has recently been seen targeting Ukrainian entities with a new information-stealing malware.
This campaign has been linked to TA471 (also known as UAC-0056), a cyberthreat actor with ties to Russia that has been active since early 2021, according to Symantec’s Threat Hunter Team. Although it primarily targets Ukraine, the group has also been active against NATO member states in North America and Europe. The group is known to support the interests of the Russian government. The destructive data-wiping malware WhisperGate, which was employed in numerous cyberattacks against Ukrainian targets in January 2022, has been connected to TA471. The malware poses as ransomware, but even after a ransom is paid, it completely disables the target device and prevents file recovery.
Symantec claims that the hacking group’s most recent campaign, which targets Ukrainian organizations, relies on previously undiscovered information-stealing malware it calls “Graphiron.” According to the researchers, the malware was used to steal data from infected machines between October 2022 and at least mid-January 2023, making it reasonable to assume that it is still in [hackers’] toolkits.
The information-stealing malware is similar to other TA471 tools, like GraphSteel and GrimPlant, which were previously used as part of a spear-phishing campaign specifically aimed at Ukrainian state bodies. It uses file names intended to pass for genuine Microsoft Office files. However, according to Symantec, Graphiron is made to steal much more information, such as private SSH keys and screenshots.
According to Dick O’Brien, principal intelligence analyst for Symantec Threat Hunter Team, “that information could be useful in and of itself from an intelligence perspective, or it could be used to further infiltrate the targeted organization or to launch destructive attacks.”
O’Brien claimed that TA471 has emerged as one of the most important figures in Russia’s ongoing cyber campaigns against Ukraine, despite the fact that little is known about the hacking group’s history or tactics.
Days prior to the discovery of TA471’s most recent spying operation, the Ukrainian government had alerted the world to another state-sponsored hacking organization, known as UAC-0010, which was still engaged in regular cyberattack campaigns against Ukrainian organizations.
The State Cyber Protection Centre of Ukraine stated that despite mostly using the same techniques and procedures, adversaries “slowly but insistently evolve in their tactics and redevelop used malware variants to stay undetected.” Therefore, it continues to be one of the main cyber threats to which organizations in our nation are exposed.