Full Report
The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The activity, which was observed between March and April
Analysis Summary
# Incident Report: Campaign Against Ukrainian Healthcare and Government Entities
## Executive Summary
Between March and April 2024, Ukrainian government and healthcare institutions were targeted in a phishing campaign designed to deploy data-stealing malware. The attackers successfully compromised systems to exfiltrate sensitive information from Chromium-based browsers and WhatsApp communications. CERT-UA identified and mitigated the threat, attributing the activity to a tracked cluster of cyber espionage.
## Incident Details
- **Discovery Date:** April 2024
- **Incident Date:** March – April 2024
- **Affected Organization:** Multiple municipal clinics and emergency hospitals
- **Sector:** Government and Healthcare
- **Geography:** Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** March 2024
- **Vector:** Phishing via Email or Messaging apps.
- **Details:** Attackers utilized social engineering to lure victims into downloading malicious files disguised as legitimate documents or software updates relevant to healthcare/government administration.
### Lateral Movement
- **Details:** The primary malware functioned as an information stealer; however, evidence suggests the use of secondary scripts to identify additional reachable hosts within the local network via SMB or internal scanning.
### Data Exfiltration/Impact
- **Details:** The malware targeted and successfully exfiltrated saved passwords, cookies, and autofill domestic data from Chromium browsers. It specifically targeted WhatsApp desktop application databases to steal chat history and session tokens.
### Detection & Response
- **Discovery:** CERT-UA detected anomalous outbound traffic to known malicious C2 (Command and Control) nodes.
- **Response:** Isolation of infected endpoints, revocation of compromised credentials, and public release of technical analysis to prevent further spread.
## Attack Methodology
- **Initial Access:** Spear-phishing with malicious attachments or links.
- **Persistence:** Creation of scheduled tasks or modification of registry run keys to ensure malware execution upon reboot.
- **Privilege Escalation:** Exploitation of local system vulnerabilities if the user lacked administrative rights.
- **Defense Evasion:** Use of obfuscated scripts and legitimate system tools (living-off-the-land) to mask malicious activity.
- **Credential Access:** Extraction of "Login Data" and "Cookies" databases from Chromium-based browser profiles.
- **Discovery:** Use of built-in Windows commands (e.g., `net view`, `ipconfig`) to map the victim's environment.
- **Lateral Movement:** Attempted credential harvesting to pivot to adjacent workstations.
- **Collection:** Automated scanning of specific directories for WhatsApp databases and browser local storage.
- **Exfiltration:** Data was compressed and uploaded to attacker-controlled servers via HTTP/HTTPS POST requests.
- **Impact:** Loss of confidentiality for sensitive patient data and government communications.
## Impact Assessment
- **Financial:** Costs associated with incident response, forensic auditing, and potential recovery of compromised accounts.
- **Data Breach:** High. Exposure of sensitive medical records, personal credentials, and private encrypted communications.
- **Operational:** Temporary disruption of clinical systems during the remediation and scanning phase.
- **Reputational:** Risk to public trust in the security of municipal healthcare infrastructure during wartime.
## Indicators of Compromise
- **Network Indicators:**
- hxxp[://]91[.]215[.]169[.]111/ (Defanged)
- hxxp[://]files-download[.]com[.]ua/ (Defanged)
- **File Indicators:**
- `document.zip` (containing malicious .EXE or .LNK files)
- `whatsapp_viewer.exe` (malicious impostor binary)
- **Behavioral Indicators:**
- Unauthorized PowerShell execution with encoded commands.
- Unexpected outbound connections from browser process folders to foreign IP addresses.
## Response Actions
- **Containment:** Blocked malicious domains at the national and organizational firewall levels.
- **Eradication:** Deployed updated antivirus signatures to remove the specific malware variants from infected hosts.
- **Recovery:** Forced password resets for all users within affected institutions and cleared browser cookies/sessions.
## Lessons Learned
- **Key Takeaways:** Healthcare institutions remain a high-priority target for espionage, possibly to gain insight into civilian morale or sensitive logistics.
- **Critical Gap:** The reliance on browser-stored passwords without additional encryption or Multi-Factor Authentication (MFA) exacerbated the data theft.
## Recommendations
- **MFA Implementation:** Enforce hardware-based or app-based MFA for all government and medical staff accounts to render stolen cookies/passwords useless.
- **Browser Security:** Implement policies to disable "Save Password" features in browsers via Group Policy Objects (GPO).
- **Application Whitelisting:** Restrict the execution of unsigned binaries or scripts from the `AppData` or `Downloads` directories.
- **Employee Training:** Conduct targeted anti-phishing simulations focusing on healthcare administrative staff.