Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Pirated Software Compromised Ukrainian Utility Company

Attacker Loaded DarkCrystal and DWAgent Remote Access Trojans
Pirated Software Compromised Ukrainian Utility Company
An undated photo of a Ukrainian defender (Image: Kharkiv Regional State Administration)

An employee of a Ukrainian utility company downloaded and installed an unlicensed version of Microsoft Office from a torrent website resulting in two remote access Trojans infecting the company's systems for two months.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The Computer Emergency Response Team of Ukraine said the pirated version of the Office suite contained the DarkCrystal remote access Trojan and the DWAgent remote administration tool. The two applications provided unauthorized third-party access to the company's network between Jan. 19 and March 22.

The cybersecurity first responder attributes the Trojans to a group it tracks as UAC-0145. The Ukrainian CERT previously linked DarkCrystal RAT usage to the Sandworm group, the popular Western name for a Russian unit of military intelligence hackers responsible for a slew of destructive computer attacks against Ukraine. Kyiv tracks Sandworm as UAC-0113 (see: Russian Sandworm APT Adds New Wiper to Its Arsenal).

CERT-UA said torrented software is a common pathway for infection. "In addition to Microsoft Office software products, there are known cases of infection, including when installing operating systems downloaded from unofficial sources, as well as other programs like scanners, password recovery tools, etc."

Russian state hackers have pummeled Ukraine for nearly a decade now with a notable uptick during the first four months of 2022, around the time of Moscow's initiation of a war of conquest against Kyiv. The cyber dimension of the conflict has failed to materialize into the cyberwar many predicted, but hacking has been constant. Microsoft recently predicted Russian hackers will boost their use of ransomware, seek initial access to systems and mount additional influence operations (see: Russia May Be Reviving Cyber Ops Ahead of Spring Offensive).

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.