Russia-backed hackers unleash new USB-based malware on Ukraine’s military

Russia-backed hackers unleash new USB-based malware on Ukraine’s military

Getty Images

Hackers working for Russia’s Federal Security Service have mounted multiple cyberattacks that used USB-based malware to steal large amounts of data from Ukrainian targets for use in its ongoing invasion of its smaller neighbor, researchers said.

“The sectors and nature of the organizations and machines targeted may have given the attackers access to significant amounts of sensitive information,” researchers from Symantec, now owned by Broadcom, wrote in a Thursday post. “There were indications in some organizations that the attackers were on the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations was a priority for the attackers, among other things.”

The group, which Symantec tracks as Shuckworm and other researchers call Gamaredon and Armageddon, has been active since 2014 and has been linked to Russia’s FSB, the principal security service in that country. The group focuses solely on obtaining intelligence on Ukrainian targets. In 2020, researchers at security firm SentinelOne said the hacking group had “attacked over 5,000 individual entities across the Ukraine, with particular focus on areas where Ukrainian troops are deployed.”

In February, Shuckworm began deploying new malware and command-and-control infrastructure that has successfully penetrated the defenses of multiple Ukrainian organizations in the military, security services, and government of that country. Group members seem most interested in obtaining information related to sensitive military information that could be abused in Russia’s ongoing invasion.

This newer campaign debuted new malware in the form of a PowerShell script that spreads Pterodo, a Shuckworm-created backdoor. The script activates when infected USB drives are connected to targeted computers. The malicious script first copies itself onto the targeted machine to create a shortcut file with the extension rtf.lnk. The files have names such as video_porn.rtf.lnk, do_not_delete.rtf.lnk, and evidence.rtf.lnk. The names, which are mostly in the Ukrainian language, are an attempt to entice…