Suspected Ukrainian hackers impersonating Russian ministries to spy on industry

According to researchers, a hacker group believed to be linked to Ukraine is conducting a new cyber espionage campaign against the Russian scientific and industrial sectors. The Russian cybersecurity company F.A.C.C.T. detected fraudulent emails that appeared to be from Russia’s Ministry of Industry and Trade. These emails, detailed in a report published on Wednesday, urged local defense industry firms to place orders with correctional facilities and suggested working with prisoners possessing mechanical and engineering expertise. Embedded within the emails was a malicious archive containing an executable file. When opened, this file deployed a remote access malware known as Ozone, enabling attackers to gain control over infected devices. F.A.C.C.T. linked the operation to a suspected pro-Ukraine cyber threat group known as Sticky Werewolf. This group is known to primarily target government bodies, research institutions, and industrial firms across Russia, Poland, and Belarus. Researchers noted that Sticky Werewolf utilizes various hacking tools, including the Darktrack and Ozone remote access trojans, as well as the Glory Stealer and MetaStealer malware.
The success of the group’s latest operation is unclear. F.A.C.C.T. reported that the attacks began shortly after the New Year holidays, with one of the phishing emails being discovered as recently as this week.
Sticky Werewolf has used similar tactics in previous attacks on Russian organizations. Last year, the group targeted a pharmaceutical company using a fake email posing as a decree from Russia’s Ministry of Emergency Situations. Before that, the hackers attacked a Russian microbiology research institute—engaged in vaccine development—through a phishing email impersonating the local Ministry of Construction.