Google TAG warns of UNC5812 attackers
Updated October 29, 2024: This article was originally published on October 28, with news of steps taken by Amazon Web Services to seize domains exploited by Russian threat actors during the UNC5812 attack. Updated.
Security researchers from Google’s renowned Threat Analysis Group, in collaboration with threat intelligence experts from Mandiant, have identified two-pronged attacks from suspected Russian espionage and influence against both Android and Windows users. I confirmed that it is in progress. Here’s what we know so far:
UNC5812 What we know about cyber attacks
The UNC5812 cyberattack was discovered by Google TAG and Mandiant in September 2024 and appears to be a hybrid espionage and influence operation carried out by Russian threat actors. Using a Telegram persona identified as “Civil Defense,” threat intelligence analysts said the campaign was used to distribute malware to both Android and Windows users under the guise of a free software provider. said. Its free software nature directly targeted people. Looking for candidates for conscription in Ukraine. This distribution channel is via both a malicious Civil Defense Telegram channel and a similarly named website. The website domain was registered in early April.
The malware itself is operating system specific and is delivered alongside what appears to be a decoy application masquerading as the recruitment hub mapping tool mentioned above. A Google TAG spokesperson said: “UNC5812 also actively engages in influence activities, distributing stories and soliciting content aimed at undermining support for mobilization efforts in Ukraine. ” It is believed that the UNC5812 attackers are purchasing posts promoted on already established legitimate Ukrainian Telegram channels in order to further expand their influence. Additionally, Threat Intelligence reports that as recently as October 8th, Ukrainian-language news channels were seen promoting this post, so the operation appears to be still in progress. Google TAG researchers said, “The campaign is likely still actively seeking new Ukrainian-language communities for targeted engagement.”
The attacker behind the cyber attack is named APT29 (also known as Midnight Blizzard)
The group behind the UNC5812 cyberattack has been named APT29, a Russian state-sponsored actor also officially known as Midnight Blizzard or Cozy Bear, but Amazon has not been able to access the domains used in the campaign. He admitted to working behind the scenes to seize the CJ Moses, previously chief of technical analysis for computer and network intrusions in the Cyber Division of the Federal Bureau of Investigation and a special agent with the Air Force Office of Special Investigations, is currently Amazon’s chief information security officer. In a post on LinkedIn, Moses thanked Amazon and CERT-UA’s Cyber Threat Intelligence team for their efforts “to make the Internet safer.” APT29 is not to be confused with APT28, known as Fancy Bear, another Russian state-sponsored threat group that is also currently engaged in targeted anti-Ukraine cyber operations.
The internet domains used by Midnight Blizzard were identified by Amazon’s threat intelligence team based on work already done by CERT-UA. The UNC5812 phishing campaign appears to target potential victims associated with government agencies, businesses, and the military, uses Ukrainian-language emails, and Amazon says It is said to be a much broader cyberattack than a targeted approach. “Some of the domain names they used were intended to trick the target into believing that the domain was an AWS domain (which it was not). “And it wasn’t a group that was after AWS customer credentials,” Moses said.
Upon discovering the domain, Amazon immediately began the process of seizing the domain being exploited by the Midnight Blizzard attackers, impersonating AWS to disrupt the operation.
Purpose of Russian spy cyber attack
The Telegram-led campaign itself aims to direct victims to websites where they can download various malware for both Android and Windows operating systems. Meanwhile, Android users are being targeted by a commercially available backdoor application known as craxstat. Google TAG analysts said that while the website itself contains support for both iOS and macOS malware, neither of these payloads were available during their analysis efforts.
So, if you’ve been targeted and made it to the malware distribution stage, how can you prevent yourself from getting caught up in this latest threat campaign? Make sure you’re using Google Play Protect and Google said TAG researchers. UNC5812 Attackers can coerce Android users into installing apps outside of the App Store and its protections, primarily to protect user security and anonymity, justifying an extensive list of required user privileges. I have made some efforts to persuade you. Ironically.
Google TAG stated that “UNC5812’s Civil Defense website specifically included social engineering content and detailed video instructions on how targeted users could turn off Google Play Protect.” , said, “Safe Browsing also protects Chrome users on Android by warning them before visiting dangerous sites.” ” Google’s app scanning infrastructure protects Google Play and powers Verify Apps to further protect users who may fall prey to cyber-attacks like this one caused by apps installed from outside of Google Play itself. Masu.
