Mandiant is a cybersecurity company that works with governments, law enforcement and organizations around the world to detect threats, conduct investigations and analyze security products from various manufacturers. He published a voluminous report with disappointing results.

what is known

• Mandiant experts discovered an entire operation focused on the Ukrainian government through trojanized Windows 10 installers. They use the Ukrainian language pack and are clearly aimed at Ukrainian users. The campaign has been running since July 2022 and is a socially engineered supply chain attack.
• The report did not specify exactly which state institutions were affected by the attacks and at what level. It is also unknown how the pirated software got into their computers.
• viruses mounted on ISO images, scouting and deploying additional abilities on victims’ computers to commit data theft. For example, STOWAWAY, BEACON, and SPAREPART backdoors have been placed on some computers, allowing hackers to maintain access to compromised machines, execute commands, transfer files and steal information including credentials and keystrokes, as well as take screenshots.
• In some cases, the attackers even tried to download the Tor Browser to the victim’s device. While the exact reason for these actions is unclear, researchers suspect that Tor may be an alternative channel for data theft.
• ISO images were distributed via torrent sites, Including Ukrainian Toloka and Russian RuTracker.
• The threat is identified as UNC4166 and is not affiliated with any known hacker group.

Screenshot of a post on the Toloka website with a pirated Windows 10 operating system / Photo by Mandiant

Mandiant experts say that the use of Trojan ISOs in espionage operations is new. Added detection protections show: The organizers of this campaign are conscious and patient with their actions, as the task required too much time and resources to even wait for the ISO image to load on the right computer.. The files are released into the public domain, where they can be downloaded by anyone, both an ordinary user and a small private organization not interested in hackers.

Generally Discovered “several devices containing malicious programs on Ukrainian government networks” around 12 July 2022. From the data collected by Mandiant, it appears that the victims were specially selected for further missions. Stealth programs perform an initial scan on compromised devices to determine if this particular computer is of interest to hackers. If UNC4166 determines that the device likely contains valuable information, further action has been taken.