Ukraine Military Targeted With Russian APT PowerShell Attack

The attack, associated with Shuckworm, employs TTPs observed in prior campaigns against the Ukrainian military, predominantly using PowerShell.

3 Min Read
Brown bear sow eats Spoon worms (echiuroid) along the shoreline on Admiralty Island in Tongass National Forest, Alaska
Source: Design Pics Inc via Alamy Stock Photo

A sophisticated Russian advanced persistent threat (APT) has launched a targeted PowerShell attack campaign against the Ukrainian military.

The attack is most likely perpetrated by malicious threat actors related to Shuckworm, a group with a history of campaigns against Ukraine, motivated by geopolitical, espionage, and disruption interests.

The malicious campaign, tracked by Securonix under the name STEADY#URSA, employs a newly discovered SUBTLE-PAWS PowerShell-based backdoor to infiltrate and compromise targeted systems.

This type of backdoor allows threat actors to gain unauthorized access, execute commands, and maintain persistence within compromised systems.

The attack methodology involves the distribution of a malicious payload through compressed files delivered via phishing emails.

Distribution and lateral movement of the malware is carried out through USB drives, thus removing the need to access the network directly.

The report noted that type of approach would be made difficult due to Ukraine's air-gapped communications like Starlink.

The campaign exhibits similarities with the Shuckworm malware, and it incorporates distinct tactics, techniques, and procedures (TTPs) observed in previous cyber campaigns against the Ukrainian military.

Oleg Kolesnikov, vice president of threat research and data science/AI for Securonix, explains that SUBTLE-PAWS differentiates itself by its "fairly exclusive" reliance on off-disk/PowerShell stagers for execution, avoiding traditional binary payloads. It also employs additional layers of obfuscation and evasion techniques.

"These including encoding, command splitting and registry-based persistence to evade detection among others," he says.

It establishes command and control (C2) by communicating via Telegram with a remote server, using adaptive methods such as DNS queries and HTTP requests with dynamically stored IP addresses.

The malware also employs stealth measures like Base64 and XOR encoding, randomization techniques, and environment sensitivity to enhance its elusive nature.

The targeted entity executes a malicious shortcut (.lnk) file, initiating the loading and execution of a new PowerShell backdoor payload code.

The SUBTLE-PAWS backdoor is embedded within another file contained in the same compressed archive.

Kolesnikov says possible proactive measures can include implementing user education programs to recognize potential exploitation via email, increasing awareness around the use of malicious .lnk payloads on external drives to spread in air-gapped and more compartmentalized environments, and enforcing strict policies and user file decompression to mitigate risks.

"To bolster USB drive security, organizations should implement device control policies to restrict unauthorized USB usage and regularly scan removable media for malware using advanced endpoint security solutions," he says.

To enhance log detection coverage, Securonix advised deploying additional process-level logging, such as Sysmon and PowerShell logging.

"Organizations should also enforce strict application whitelisting policies [and] implement enhanced email filtering, proper system monitoring, and endpoint detection and response solutions to monitor and block suspicious activity," Kolesnikov says.

Cyber Threats, State Actors

The ongoing ground war in Ukraine has been waged in the digital realm as well, with Kyivstar, Ukraine's biggest mobile telecom operator, suffering a cyberattack in December that wiped out cell service for more than half of Ukraine's population.

In June 2023, Microsoft released details of Russian APT Cadet Blizzard, thought to be responsible for wiper malware deployed during the weeks leading up to Russia's invasion of Ukraine.

Cybersecurity attacks by Russian hacktivist groups — including Joker DPR threat group, thought to be tied to the state — also claimed to have breached the Ukraine military's battlefield management system DELTA, revealing real-time troop movements.

Beyond the conflict in Eastern Europe, threat groups in Iran, Syria, and Lebanon demonstrate the threat of cyberattacks in conflicts across the Middle East. The growing sophistication of these threats indicates state-backed malicious actors are modernizing their malware techniques, and multiple threat groups are banding together to launch more complex attacks.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights