Attacks with the nascent Wrecksteel malware were disclosed by Ukraine's Computer Emergency Response Team to have been launched by the UAC-0219 hacking operation against the country's government entities and critical infrastructure organizations last month as part of a cyberespionage campaign that commenced last fall, reports The Record, a news site by cybersecurity firm Recorded Future.
Hacked email accounts have been leveraged by UAC-0219 to distribute phishing messages with links redirecting to Google Drive and DropMeFiles that facilitate the execution of a PowerShell script enabling data extraction and screenshot captures, according to CERT-UA. Additional information linking UAC-0219 to a specific country remains lacking but Russia was previously identified as being behind a majority of phishing-based cyberespionage against Ukraine. Ukraine was recently reported by Cisco Talos researchers to have been targeted by Russian state-sponsored cyberespionage operation Gamaredon in a phishing campaign involving troop-related lures while the country's national railway operator Ukrzaliznytsia had its online systems taken down last week by a cyberattack also linked to Russia.
The "Google Notes" extension, identified by McAfee researchers, operates by requesting broad permissions, including access to all websites, browsing history, and the clipboard, which are unusual for a note-taking application.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news