Ukrainian government entities have been hacked in targeted attacks after their networks were first compromised via ISO files containing Trojan horses posing as legitimate Windows 10 installers.

These malicious installers delivered malware capable of harvesting data from compromised computers, deploying additional malicious tools, and exfiltrating stolen data to servers controlled by attackers.

One of the ISOs pushed in this campaign was hosted on the toloka[.]to the Ukrainian torrent tracker by a user created in May 2022.

“The ISO has been configured to disable typical security telemetry that a Windows computer would send to Microsoft and block automatic updates and license checking”, said cybersecurity firm Mandiant who uncovered Thursday’s attacks.

“There was no indication of a financial motivation for the intrusions, whether through the theft of monetizable information or the deployment of ransomware or cryptominers.”

While scanning multiple infected devices on Ukrainian government networks, Mandiant also spotted scheduled tasks set up in mid-July 2022 that were designed to receive commands that would be executed via PowerShell.

After initial reconnaissance, threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain access to compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes.

Windows 10 ISOs containing Trojans have been distributed via torrent file-sharing platforms in Ukrainian and Russian, unlike similar attacks where cyber espionage groups host payloads on their infrastructure.

As This Supply Chain Attack Hit Ukrainian Government, Malicious Windows ISO Files Made Available Via Torrents

“We assess that the threat actor publicly distributed these installers and then used an inbuilt planning task to determine if the victim should deploy other payloads,” Mandiant added.

While the malicious Windows 10 installers did not specifically target the Ukrainian government, threat actors scanned infected devices and carried out other more targeted attacks on those belonging to government entities.

“Targets of interest to the AU government were then hand-picked. These targets overlap with GRU interests,” tweeted John Hultquist, vice president of Mandiant Threat Intelligence.

We’re not there on attribution here. It is very good. We’re talking about spies here (probably) and we won’t always have the goods. That doesn’t mean we can’t learn the lesson. Supply chain incidents are serious and remain a major concern for this conflict. (3/x)

— John Hultquist (@JohnHultquist) December 15, 2022

Targets Previously Attacked by Russian Military Hackers

The threat group behind this supply chain attack is tracked as UNC4166, and its likely goal is to collect and steal sensitive information from Ukrainian government networks.

Although there was no clear attribution at the time, Mandiant security researchers found that the organizations attacked in this campaign were previously on the target list of APT28 state hackers with ties to Russian military intelligence.

“The targets of UNC4166 overlap with the organizations targeted by the GRU-linked clusters with windshield wipers early in the war.” Mandiant said.

“Organizations where UNC4166 conducted tracking interactions included organizations that have historically been victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the invasion.”

APT28 has been operating since at least 2004 on behalf of the Russian General Staff’s Main Intelligence Directorate (GRU) and has been linked to campaigns targeting governments around the world, including a 2015 German federal parliament hack and attacks on the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016.

Since the start of Russia’s invasion of Ukraine, several phishing campaigns targeting the Ukrainian government and military organizations have been labeled as APT28 operations by Google, Microsoftand Ukraine CERTs.

“The use of Trojan-containing ISOs is new in espionage operations and the anti-detection capabilities included indicate that the actors behind this activity are security-conscious and patient, as the operation would have taken time and significant resources to develop and wait for the ISO to be installed on a network of interest,” added Mandiant.