As reported by Ukrinform, the State Private Communications and Information Protection Service of Ukraine reported this on Telegram.

“The Ukrainian Government Computer Emergency Response Team CERT-UA warned of a cyberattack using emails containing “instructions” to “update the operating system” – said the State Intelligence Service.

E-mails with the subject of “Windows Update” are sent on behalf of the system administrators of the departments from the e-mail addresses created on the so-called “@outlook.com” public service. In some cases, letters can be created using the employee’s real name and initials.

It was noted that the attack-specific letter contained Ukrainian “instructions” for “updates to protect against hacker attacks”, as well as graphic images of the process of launching a command line and executing a PowerShell command. The execution of the latter simulates the process of updating the operating system, downloads and executes a PowerShell script to collect basic information about the computer, and also sends the received results to the API of the Mocky service.

According to CERT-UA, the activity is run by the APT28 group (also known as Pawn Storm, Fancy Bear), which a number of researchers have associated with the Russian Federation.

The Ukraine Government Computer Emergency Response Team recommends limiting users’ ability to run PowerShell and monitor network connections to the Mocky service API.

As reported by Ukrinform, the Cabinet approved the Procedure for responding to cyber incidents and cyber attacks.