A Ukrainian utility company suffered from a cyberattack when an employee downloaded and installed an unlicensed version of Microsoft Office from a torrent website. The pirated software contained two remote access Trojans, DarkCrystal, and DWAgent, which provided unauthorized third-party access to the company’s network for two months.
The Cyber Emergency Response Team of Ukraine attributed the Trojans to UAC-0145, a group previously linked to the Sandworm group, a Russian unit of military intelligence hackers responsible for numerous destructive attacks against Ukraine.
Torrented software is a common pathway for infection, according to CERT-UA. The group advises against downloading and installing any software from unofficial sources, including Microsoft Office, operating systems, scanners, password recovery tools, and other programs.
The use of unlicensed software could potentially allow malicious actors to gain unauthorized access to a company’s network, putting sensitive data and operations at risk.
Russian state hackers have been targeting Ukraine for almost a decade, with an uptick in attacks during the first four months of 2022, coinciding with Moscow’s initiation of a war of conquest against Kyiv. While the cyber dimension of the conflict has not yet escalated to a full-blown cyberwar, the constant hacking remains a significant concern.
Microsoft predicts that Russian hackers will increase their use of ransomware and seek initial access to systems, and mount more influence operations.
This incident underscores the importance of implementing cybersecurity best practices and maintaining security awareness in organizations. It is essential to use only licensed software and to avoid downloading any software from untrusted sources.
Employees should receive regular training to stay vigilant against phishing attempts and other cyberattacks. Organizations should also conduct regular vulnerability assessments and penetration testing to identify and address any security weaknesses proactively.
