Cybersecurity Reports

State-sponsored Attack Groups leveraging Russia-Ukraine War for Cyber Espionage, says Check Point Research

Check Point Research (CPR) sees threat groups worldwide using Russia/Ukraine-themed documents to spread malware and lure victims into cyber espionage. Depending on the targets and region, attackers are using decoys ranging from official-looking documents, to news articles and job postings. CPR believes the motivation behind these recent campaigns is cyber espionage, to steal sensitive information from governments, banks and energy companies. The threat groups and their victims are not concentrated to one region, but span worldwide, including Latin America, Middle East and Asia.

In a new publication, CPR profiles three advanced persistent threat (APT) groups, named El Machete, Lyceum and Sidewinder, who were recently caught conducting the spear-phishing campaigns on victims in five countries. The table below summarizes each APT group’s origin, target sector and target countries.

APT Name APT Origin Targeted Sector Targeted Countries
El Machete Spanish-speaking Country Financial, Governmental  Nicaragua, Venezuela  
Lyceum The Islamic Republic of Iran Energy Israel, Saudi Arabia
SideWinder Possibly India Unknown Pakistan

Malware Capabilities

CPR studied the malware laced by each of the three APT groups, specifically for these cyber espionage activities. Capabilities include:

  • Keylogging: steals everything you enter using the keyboard
  • Credential collection: collects credentials stored in Chrome and Firefox browsers
  • File collection: collects information about the files on each drive and collect file names and file sizes, allowing theft of specific files
  • Screenshotting
  • Clipboard data collection
  • Command execution
Lure document
Russia-Ukraine war-related decoy documents used by the Lyceum APT group

Attack Methodologies

El Machete

  1. Spear-phishing email with text about Ukraine
  2. Attached Word document with article about Ukraine
  3. Malicious macro inside the document drops a sequence of files
  4. Malware downloaded to the PC


  1. Email with content about war crimes in Ukraine and link to malicious document hosted on a website
  2. The document executes a macro code when the document is closed
  3. Exe file is saved to the PC
  4. Next time you restart your PC the malware runs


  1. Malicious document is opened by the victim
  2. When it’s opened, the document retrieves a remote template from an actor-controlled server
  3. The external template that’s downloaded is an RTF file, that exploits the CVE-2017-11882 vulnerability
  4. Malware on the PC of the victim

Speaking about the emerging threat vectors, Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software said, “Right now, we are seeing a variety of APT campaigns that utilizes the current war for malware distribution. The campaigns are highly targeted and sophisticated, focusing on victims in the government, financial and energy sectors. In our newest report, we profile and bring examples from three different APT groups, who all originate in different parts of the world, that we caught orchestrating these spear-phishing campaigns. We studied the malware involved closely, and found capabilities that span keylogging, screenshotting and more. It is my strong belief that these campaigns are designed with the core motivation of cyber espionage. Our findings reveal a clear trend, that collateral around the war between Russia and Ukraine has become a lure of choice for threat groups world-wide. I strongly recommend governments, banks and energy companies to reiterate cyber awareness and education to employees, and to implement cyber security solutions that protect the network on all levels.”

In Conclusion
Although the attention of the public does not usually linger on a single issue for an extended period, the Russian-Ukrainian war is an obvious exception. This war affects multiple regions around the world and has potentially far-reaching ramifications. As a result, we can expect that APT threat actors will continue to use this crisis to conduct targeted phishing campaigns for espionage purposes.

Source: CPR Report

Related posts

Arete’s Cyber Threat Report reveals only 19% of cases involved ransom payments in the first half of 2023

SSI Bureau

IDC Reveals India Corporate Banking Predictions for 2022 and Onwards

SSI Bureau

India most troubled by talent crunch for advanced threats detection: MicroFocus

SSI Bureau

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More