A targeted PowerShell attack campaign has been launched against the Ukrainian military by a sophisticated Russian advanced persistent threat (APT). This attack is believed to be the work of a group associated with Shuckworm, which has a history of carrying out campaigns against Ukraine for reasons related to geopolitical, espionage, and disruption. This campaign, known as STEADY#URSA, uses a newly discovered SUBTLE-PAWS PowerShell-based backdoor to infiltrate and compromise targeted systems. The backdoor allows the threat actors to gain unauthorized access, execute commands, and maintain persistence within compromised systems.
The attack involves the distribution of a malicious payload through compressed files delivered via phishing emails, and the distribution and lateral movement of the malware are carried out through USB drives. This circumvents the need to access the network directly. The report notes that this approach may be made difficult due to Ukraine’s air-gapped communications like Starlink. The campaign exhibits similarities with the Shuckworm malware and incorporates distinct tactics, techniques, and procedures observed in previous cyber campaigns against the Ukrainian military.
Oleg Kolesnikov, a vice president of threat research and data science/AI for Securonix, states that SUBTLE-PAWS sets itself apart by primarily relying on off-disk/PowerShell stagers for execution, avoiding traditional binary payloads. It also employs additional layers of obfuscation and evasion techniques such as encoding, command splitting, and registry-based persistence to evade detection.
The malware establishes command and control (C2) by communicating via Telegram with a remote server, using adaptive methods such as DNS queries and HTTP requests with dynamically stored IP addresses. It also employs stealth measures like Base64 and XOR encoding, randomization techniques, and environment sensitivity to enhance its elusive nature.
The SUBTLE-PAWS backdoor is executed by a malicious shortcut (.lnk) file, which initiates the loading and execution of a new PowerShell backdoor payload code. It is embedded within another file contained in the same compressed archive.
Kolesnikov suggests possible proactive measures to mitigate the risks of such attacks, which include implementing user education programs to recognize potential exploitation via email, increasing awareness around the use of malicious .lnk payloads on external drives, and enforcing strict policies and user file decompression to mitigate risks. He also recommends implementing device control policies to restrict unauthorized USB usage and regularly scanning removable media for malware using advanced endpoint security solutions.
To enhance log detection coverage, Securonix advises deploying additional process-level logging, such as Sysmon and PowerShell logging. Organizations should also enforce strict application whitelisting policies and implement enhanced email filtering, proper system monitoring, and endpoint detection and response solutions to monitor and block suspicious activity.
This cyberattack is part of an ongoing ground war in Ukraine, which has also been waged in the digital realm. In addition to the attack on the Ukrainian military, Kyivstar, Ukraine’s biggest mobile telecom operator, experienced a cyberattack in December, leading to the loss of cell service for more than half of Ukraine’s population. Microsoft released details of Russian APT Cadet Blizzard in June 2023, which is thought to be responsible for wiper malware deployed before Russia’s invasion of Ukraine. Furthermore, Russian hacktivist groups have claimed to have breached the Ukraine military’s battlefield management system DELTA, revealing real-time troop movements.
Beyond the conflict in Eastern Europe, threat groups in Iran, Syria, and Lebanon also demonstrate the threat of cyberattacks in conflicts across the Middle East. The growing sophistication of these threats indicates that state-backed malicious actors are modernizing their malware techniques, and multiple threat groups are banding together to launch more complex attacks.