Ukrainian government entities were attacked using targeted attacks Windows 10 pirated iso images which were distributed on torrent networks posing as legitimate OS installers.

These malicious installers, images trojanizeddelivered malware capable collect data from compromised computers, deploy other malicious tools, and leak stolen data to servers controlled by attackers. “The ISO was configured to disable the typical security telemetry that a Windows PC would send to Microsoft, blocking automatic updates and license verification”explains the cyber security firm Mandiant, which discovered the attacks.

While scanning various infected devices on Ukrainian government networks, Mandiant also detected scheduled tasks configured and designed to receive commands that were executed through the PowerShell console. After the initial infection, attackers implemented the Stowaway, Beacon, and Sparepart backdoors that allowed them maintain access to compromised computers, execute commands, transfer files and steal informationincluding credentials and keystrokes.

There is no indication of financial motivation through the theft of monetizable information or the deployment of ransomware or cryptocurrencies. In addition, the targets were hand-picked and according to Mandiant, the targets are Russian GRU interests, suggesting that these are actions that are part of the Ukrainian war, confirming that it is still being fought in cyberspace.

Windows 10 pirated ISO images

If in the physical world Russia has proven incapable of achieving the “goals” declared by Putin, in the virtual world Russia has offensive and defensive elements that are listed among the planetary elite, with official military units and other civilian groups acting as mercenaries for hire. And they began to act before the invasion of Ukraine.

The group responsible, tracked as UNC4166, aimed to collect and steal sensitive information from Ukrainian government networks. While there is no clear attribution at the time, security researchers at Mandiant have discovered that the organizations targeted by this campaign were previously on the target list of state-owned hackers APT28, connected to Russian military intelligence.

APT28 has operated since at least 2004 on behalf of the Russian General Staff’s Main Intelligence Directorate (GRU) and has been linked to campaigns targeting governments around the world, including the German Federal Parliament in 2015 and attacks against the Campaign Committee and the Democratic National Committee in 2016. Since at the beginning of the Russian invasion of Ukraine, Google, Microsoft or the Ukrainian CERT revealed several phishing campaigns aimed at the Ukrainian government and military organizations from this group.

The novelty is the use of this type of installers, Pirated Windows 10 ISO with Trojans for spying operations. Of course, they are not identical to those that exist for the consumer market. The anti-detection capabilities involved indicate that the attackers knew what they were doing and were patient, “because the operation would require significant time and resources to develop and wait for these types of images to be installed in the interest network”, supplied by Mandiant. However, they did not explain who was using these types of unofficial images on networks linked to the Ukrainian government.