Russian Hackers Exploit Fake Browser Updates to Target Ukraine Supporters
A Russian hacking group is leveraging fraudulent browser updates to spread malicious code to countries supporting Ukraine, highlighting the increasingly borderless nature of cybercrime. This same method is also being used in ransomware attacks.
Hackers with ties to Russia are exploiting legitimate websites to distribute advanced malware to Western companies that collaborate with and provide aid to Ukraine. A recent analysis by cybersecurity firm Arctic Wolf has identified a segment of Russia’s military intelligence service, the GRU, as likely being ultimately responsible for these attacks.
The analysis reveals that these attacks against Ukrainian interests are a new variation of a well-known attack method called SocGholish. This involves planting malicious code on websites to trick visitors into believing their browsers need updating. Clicking on the update opens the door for attackers to continue the attack. Users who are simply trying to keep their software up to date risk unknowingly initiating a major cyberattack.
“Exploiting fake updates is a well-known method for hackers. What’s new is that the attackers this time can be traced to Russia and that they are targeting individual companies and organizations in the West that in various ways provide support to Ukraine,” says Petter Glenstrup, Head of Nordics at Arctic Wolf.
Arctic Wolf’s analysis describes an incident where an employee clicked on a fake browser update on a compromised website. The download popup looked normal but activated malware that immediately gave the attackers access to the system. Shortly thereafter, the hackers attempted to install advanced malware from the Russian-backed group RomCom, something that has not previously been observed in conjunction with SocGholish.
The RomCom group’s malicious code is only activated when it has recognized a specific target. This makes it possible to hide narrowly targeted attacks within broad, global campaigns. What appears on the surface as a mass attack is, in practice, only a threat to selected organizations.
The incident underlying the analysis affected an American technology company that had previously worked with a city with close ties to Ukraine. The event illustrates a clear trend: Russia, through affiliated threat actors, is targeting organizations that directly or indirectly work in support of Ukraine. This makes the threat highly relevant for the Nordic region, where many companies, authorities, and interest organizations have been actively providing assistance to Ukraine since 2022.
According to Petter Glenstrup, this case is a typical example of how borderless cybercrime behaves today:
“We often see that it is the same tools and approaches that are used both in cybercrimes that are economically motivated and state-sponsored attacks. The threat actors operate in a common ‘market,’ even if they have completely different purposes. This makes the threat landscape both more complex and harder to predict.”
SocGholish is also associated with extortion attacks, ransomware. The hacking group behind SocGholish – called TA569 – acts as a kind of digital intermediary that resells access to hacked systems to cybercriminals or state-sponsored actors. It usually starts as an “opportunistic” attack that does not have any major direct consequences but must be regarded as a warning signal of something bigger and more serious.
“Anyone who detects an intrusion by SocGholish should act as if they are in an early stage of a ransomware attack – that is, quickly. By limiting the spread at an early stage, you can prevent it from developing into a full-blown attack,” says Petter Glenstrup.
Protecting Against Fake Updates: Key Recommendations
Arctic Wolf follows up its analysis with suggestions for concrete measures that can prevent attacks through SocGholish and similar cyber threats:
- Limit the possibilities for software updates. Installation should always take place through central channels and from approved sources – never via a browser window.
- Monitor suspicious activity on clients, including detecting abnormal network connections and automated script execution.
- Use a modern endpoint protection solution to detect and stop attempts to install hidden malware.
- Introduce clear routines for how update messages should be handled.
- Educate and inform users on an ongoing basis so that they learn to recognize fake updates and manipulated websites.
About Arctic Wolf
Arctic Wolf is a global leader in operational cybersecurity, helping companies reduce the risks of cyberattacks. Arctic Wolf’s cloud-based security platform Aurora combines the power of artificial intelligence with world-leading security expertise to offer 24/7 monitoring, countermeasures, and risk management. We make security work!
Enjoyed this post by Thibault Helle? Subscribe for more insights and updates straight from the source.
