Decoration PressNEWSROOM

Compromised routers exploited as malicious infrastructure to target government organizations in Europe and the Caucasus.

4 min

HarfangLab’s research team has identified various infrastructure elements and malicious files, exploited as part of the campaign identified in December 2023 by CERT-UA (Ukrainian Computer Incident Response Center). This campaign targeted government organizations in Ukraine, Poland and most probably Azerbaijan. 

In December, CERT-UA described a malicious espionage campaign targeting Ukrainian government entities, which they attributed to actor APT28 (aka Fancy Bear, Sofacy, etc.).

The modus operandi exploits targeted phishing e-mails to entice targets to visit a web page and open a malicious Windows shortcut. This shortcut enables the deployment of remote execution tools such as MASEPIE and OCEANMAP.

HarfangLab researchers have discovered new malicious files and infrastructure elements associated with this campaign. The campaign targeted government organizations in at least Ukraine and Poland, starting no later than December 13, 2023. Legitimate Ubiquiti network devices were exploited as command and control servers. HarfangLab researchers were unable to confirm the attribution of this campaign to the APT28 actor.

Initial infection

The initial infection of the targets is based on malicious web pages, which our researchers were able to identify and which all redirect to an online file publishing service (DriveHQ). The pages feature decoy images of blurred documents, inviting targets to click on a button to view the full document. The click causes a malicious Javascript script to be executed, embedded in the page. By hijacking Windows’ built-in file search mechanism (“search:”), the JavaScript script in turn causes the display of additional malicious files, stored on compromised network devices, and deceptively presented as documents.

Attack infrastructure and MASEPIE malicious code

If the target opens the additional malicious files presented, a malicious script developed in Python and named MASEPIE is executed. MASEPIE provides the attacker with remote code execution capabilities on compromised machines.

The researchers found that all the servers exposing infection files, as well as the MASEPIE command and control servers, exhibited characteristics specific to Ubiquiti network equipment. They also found that most of the exploited servers displayed an unusual SSH-like banner, and determined that this corresponded uniquely to compromised equipment. As a result, the researchers believe that the malicious infrastructure exploited for this campaign is notably (and perhaps exclusively) made up of legitimate, but compromised Ubiquiti network devices.

Objectives and targets

The general level of sophistication and discretion of the malicious tools and activities is low, but sufficient to maintain constant pressure on Ukraine’s cyber-defense capabilities. The attacker’s investment is minimal, but enables the gathering of basic technical information (technical reconnaissance, collection of identifiers).

The attackers have taken care to exploit already compromised equipment to build up their infrastructure, and can thus easily deny being at the origin of the associated malicious activities. These characteristics could correspond with the will and capabilities of a state-sponsored malicious actor, wishing to accompany a general pressure effort as part of a political or military conflict.  

The targets of this campaign appear to be in line with the military and strategic interests of the Russian Federation. Nevertheless, they also correspond to the interests of Russia’s allies… and of many Caucasian countries in a regional conflict.

Pierre Delcher, Director of the Cyber Threat Research team at HarfangLab explains: ” Technical analysis only offers clues that can be useful for attribution. Our research experience also shows that advanced computer attacks regularly rely on compromised servers, operated by several players, as well as on operation relays or “proxies” – the latter may be cybercriminal groups, private companies, partners… As a result, and particularly when the attacks accompany a large-scale conflict mobilizing many interests, we are humble in our approach to attribution. In this case, if the overview of targets that our research provides is exhaustive, which is unlikely, we could estimate with a medium to high degree of confidence that this campaign is executed to serve Russian interests, but it could be carried out by non-state actors and/or non-Russian organizations.

For more technical details on this research carried out by HarfangLab researchers, visit the Inside the Lab blog.

Our researchers are available to discuss the details of this infection campaign and their findings.

About HarfangLab

HarfangLab is a French cybersecurity company that publishes EDR (Endpoint Detection and Response) software, a technology that anticipates and neutralizes cyberattacks on computers and servers. Certified by ANSSI since 2020, HarfangLab now has over 250 customers, including government agencies, businesses and international organizations operating in highly sensitive sectors. HarfangLab’sEDR , now deployed on over a million endpoints, stands out for: the openness of its solution, which integrates natively with all other security bricks; its transparency, as the data collected byEDR remains accessible; and the digital independence it offers, as customers are free to choose their hosting mode: public or private cloud, or their own infrastructure.

Visit our website harfanglab.io