Cloudflare’s threat intel team claims to have thwarted a month-long phishing and espionage attack targeting Ukraine which it has attributed to Russia-aligned gang FlyingYeti.
While this crew typically targets the Ukrainian military, this phishing expedition went after financially strapped citizens who had benefited from a government moratorium on evictions and utility disconnections for unpaid debt, which ended in January. It’s tough to tell how many victims the criminals intended to phish, according to Blake Darché, head of Cloudforce One, Cloudflare’s security crew.
“Given we stopped the threat actor before they could successfully infect their intended victims, we don’t know the full scope of the attack,” Darché told The Register. “However, we can infer based on the lures used and the impersonation of the Komunalka [Комуналка] payment platform for the entire Kyiv region, that the target base was potentially vast.”
While previous FlyingYeti campaigns have mostly targeted Ukrainian defense forces, this one took a slightly different approach, Darché observed.
“In this campaign, there are two potential targeting techniques, both of which would have had significant repercussions if successful,” he noted. “The most likely – aligned with past tactics, techniques, and procedures of this threat actor – is that targeting was selective from the start, with the initial infection vector only being sent to high-value targets.”
The second technique, Darché explained, initially targeted a broader group – perhaps all residents of Kyiv. With this approach, “successful infection would have likely led to the threat actor narrowing in on high-value targets such as military entities for follow-on payloads,” he explained.
Cloudforce One spotted FlyingYeti gearing up for the attacks on April 18, and monitored its preparations through mid-May.
The Russian crew conducted reconnaissance on payment processes for Ukrainian communal housing and utility services, researched QR codes used in payment notices, and probed current developments and legal issues around housing and utility debt in the country.
According to Cloudforce One, the gang intended to attack in early May, following the Orthodox Christian Easter. The threat-hunters’ hypothesis is that this campaign aimed to take advantage of the Ukrainian government’s rental payment moratorium for civilians, implemented at the start of the illegal Russian invasion in February 2022.
On January 9, however, the government lifted this ban, resulting in increased financial stress on Ukrainian citizens who had racked up substantial debt over the course of the war.
“FlyingYeti sought to capitalize on that pressure, leveraging debt restructuring and payment-related lures in an attempt to increase their chances of successfully targeting Ukrainian individuals,” the threat hunters revealed on Thursday.
After conducting due diligence, FlyingYeti then spun up a phishing site – komunalka[.]github[.]io on GitHub – along with a GitHub repo to host a malware-laden RAR archive.
The criminal-controlled site is a spoofed version of the legitimate Kyiv Komunalka communal housing portal – www[.]komunalka[.]ua – and victims likely received links to the GitHub page in a phishing email or Signal message, we’re told.
Once an individual clicked on the Link, they would be prompted to download a phony invoice document that drops a malicious RAR file. The original iteration of this attack used a Cloudflare Worker – the company’s serverless functions platform – to fetch the RAR file from GitHub. Once Cloudflare identified that FlyingYeti’s attack used its services, it put a stop to it.
The Russian-linked crew then changed the malware delivery method to enable loading directly from GitHub. The downloaded RAR archive includes multiple files – including one used to hide file extensions by adding whitespace between the file name and file extension. In this case, the attacker named the file such that is appeared to be a PDF, but it was really a malicious file.
The software contained COOKBOX – FlyingYeti’s PowerShell malware – along with decoy documents designed to look like debt restructuring agreements and other relevant papers to boost the believability of the phishing campaign.
These decoys, however, contained tracking links that use Canary Tokens – also tools used to track criminal behavior via embedded identifiers. But in this case, the attackers used the tokens to track their victims.
Cloudflare’s security team notified GitHub, which removed the RAR file, phishing site and entire GitHub project plus suspended the account used to host the malware. This forced FlyingYeti to host the RAR archive on other file-sharing sites including Pixeldrain and Filemail.
The anti-phishing-campaign actions intended to “increase the actor’s cost of continuing their operations,” according to Cloudforce One.
The threat hunters claim to have successfully extended the time it took to complete the fraudulent operation “from hours to weeks,” and forced the criminals to adapt their tactics multiple times.
This type of disruption – “in one instance resulting in eight additional hours spent on debugging code,” the threat-intel team noted – ultimately achieved success against the Kremlin-linked actors.
“At the time of publication, we did not observe FlyingYeti upload the malicious RAR file to either file hosting site, nor did we identify the use of alternative phishing or malware delivery methods,” Cloudflare crowed. ®