The Kremlin-backed threat group APT28 is flooding Ukrainian government agencies with email messages about bogus Windows updates in the hope of dropping malware that will exfiltrate system data.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), the advanced persistent threat (APT) group – which also is known as Fancy Bear, Strontium, and Sofacy, among other names – sent emails throughout April with “Windows Update” in the subject line. The messages appeared to have been sent by system administrators of government agencies.
“E-mail addresses of senders created on the public service ‘@outlook.com’ can be formed using the employee’s real surname and initials,” CERT-UA wrote in a brief online note.
Within the messages are instructions written in Ukrainian to update the Microsoft OS “against hacker attacks” and illustrations showing how to launch a command line and execute a PowerShell command.