Hackers Profit from the Conflict in Ukraine

In mid-March 2022, at least three different APT (Advanced Persistent Threat) groups from around the world launched targeted phishing campaigns, taking advantage of the military conflict in Ukraine as bait to spread malware and steal confidential information.

The campaigns, carried out by the groups El Machete, Lyceum, and SideWinder, targeted various sectors, including the energy, financial, and government sectors in Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan.

Attackers used lures such as official-looking documents, news articles, or even job postings, depending on their targets and regions. According to cybersecurity experts from Check Point Research, many of these lure documents used malicious macros or template injection to gain a foothold in specific organizations’ systems, then launched malware attacks and installed the open-source remote access trojan Loki.Rat.

Examples of Recent Attacks

One of the campaigns was organized by the Iranian APT group Lyceum. During their attacks, the hackers used emails that allegedly reported on “Russian war crimes in Ukraine.” In reality, these emails installed .NET and Golang-based loaders on the victim’s system, which were then used to deploy a backdoor from a remote server.

Another example is SideWinder, which is believed to act in support of India’s political interests. In this case, the cybercriminals used a malicious document to exploit the Equation Editor vulnerability in Microsoft Office (CVE-2017-11882) and further spread malware designed to steal information.

Conclusion

These incidents highlight how cybercriminal groups are exploiting global crises to further their own goals, targeting a wide range of sectors and using increasingly sophisticated methods to compromise systems and steal sensitive data.