REUTERS

ESET researchers have uncovered a new advance persistence threat (APT) group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011

The XDSpy espionage group has gone largely undetected for nine years, ESET experts report

It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020.

In the interim, the group has compromised government entities, including militaries and foreign ministries, as well as private companies, across Eastern Europe and the Balkans.

After careful research, ESET were not able to link XDSpy to any publicly known APT group.

Read alsoUK's senior general: Russia seeking destabilization through COVID-19 disinformationXDSpy operators mainly seem to use spearphishing emails in order to compromise their targets. Some contain an attachment while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive. The link points to a ZIP archive that contains an LNK file, without any decoy document. When the victim double-clicks on it, the LNK downloads an additional script that installs XDDown, the main malware component.

The group jumped on the COVID-19 wagon at least twice in 2020, using the theme in their spearphishing campaigns.

Latest cyber attacks in Ukraine: Background

  • Websites of regional police departments and other agencies were targeted in a massive cyber attack on September 23 when hackers gained control of the sites and posted fake news on behalf of law enforcement and other agencies:
  • A fake report about a radioactive leakage accident at the Rivne nuclear power plant (NPP) was posted on the website of Varash City Council, Rivne region. The information has been refuted both by the city council and the NPP's press service.
  • A fake report on the death of three soldiers of the Ukrainian Armed Forces was posted on the Lviv region police's website amid the ongoing Rapid Trident 2020 multinational military drills.
  • Also, the Mykolaiv region's Police Department reported a cyber attack on their official website, it is temporarily shut down. A local Facebook journalism community said the website had a fake post about a lethal traffic accident with five victims.
  • A similar situation was reported by the police in Kherson region. A fake post about the death of U.S. military advisers appeared on their website.
  • The press service of the National Police of Ukraine, in turn, said on Facebook that their website had been hacked. It says "in this connection, false information was disseminated on some Internet pages of regional police departments." The website was temporarily shut down.
  • In the wake of the latest string of attacks, Ukraine Government set to create a National Cybersecurity Strategy.