Ukraine’s technical security and intelligence service are warning of a new wave of cyberattacks that are aimed at gaining access to users’ Telegram accounts.
“The criminals sent messages with malicious links to the Telegram website in order to gain unauthorized access to the records, including the possibility to transfer a one-time code from SMS,” the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said in an alert.
The attacks, which have been attributed to a threat cluster called “UAC-0094,” originate with Telegram messages alerting recipients that a login had been detected from a new device located in Russia and urging the users to confirm their accounts by clicking on a link.
The URL, in reality a phishing domain, prompts the victims to enter their phone numbers as well as the one-time passwords sent via SMS that are then used by the threat actors to take over the accounts.
The modus operandi mirrors that of an earlier phishing attack that was disclosed in early March that leveraged compromised inboxes belonging to different Indian entities to send phishing emails to users of Ukr.net to hijack the accounts.
In another social engineering campaign observed by Ukraine’s Computer Emergency Response Team (CERT-UA), war-related email lures were sent to Ukrainian government agencies to deploy a piece of espionage malware.
The emails come with an HTML file attachment (“War Criminals of the Russian Federation.htm”), opening which culminates in the download and execution of a PowerShell-based implant on the infected host.
In February 2022, the hacking group was connected to espionage attacks targeting government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations with the main goal of exfiltrating sensitive information. Read more:https://bit.ly/3NVEmKi