On the afternoon of June 18, a letter from the email address james***[email protected], signed by the name Igor D****yuk, arrived at Glib Gusev’s personal email. The sender wrote that he had received contact from a person named Serhiy S***r.
Referring to the recommendation of this Serhiy, he asked for help in spreading the information. Based on the initial data of the letter, it was difficult not to suspect an attempted phishing attack, especially considering that Glib Gusev did not know people with such surnames.
The “information” they were asked to distribute looked like this. “I am an infantryman of the 2nd assault battalion of the *** separate assault brigade”, the sender reported.
“In our battalion, the commander demands that all infantrymen give 30% of their combat pay every month…”
He then described the difficult situation of the unit, wrote that he had “lost his boxes of correspondence, payments, and all this dirty accounting”, and said that he was ready to “share the evidence”.
The unit to which the sender referred is one of the most famous in the assault troops of the Armed Forces of Ukraine. This unit appeared in the resonant material of Glib Gusev two months ago, which collected 130 000 views.
It was clear that the attacking party chose the method of "social engineering", studied the work of the editor of Babel and formed an attack specifically for the profile of the target.
At the end of the letter, as expected, there was a link to an external resource, a folder on the fex.net service.
«Babel'»
The Babel team analyzed the content of the malware in an isolated environment.
The link contained an archive, and in the archive were two “office” documents with macro programs of 25 MB and 27 MB in size. They were “fresh” — created that morning. Using a cryptographic algorithm, we obtained the so-called “hash sum” of the files.
That is, a unique (for each file) string of letters and numbers. No similar “hash sum” was found in the open malware database. This meant that the attacking script was probably personalized.
Next, we studied the code of the macro programs. That is, we read and analyzed it without running the macros themselves. It turned out that the files belonged to the type of “droppers”.
They were supposed to “unzip” into a separate program on the computer and run it in the background. The program was supposed to silently observe and collect information.
The editorial office of Babel reported the personalized hacker attack to CERT-UA.
This is a special “rapid response group” for cyber threats, which belongs to the State Service for Special Communications and Information Protection (SSCIP). The specialists confirmed to us the malicious nature of the files and are continuing their analysis.
We will add a detailed comment from CERT-UA to this news when we receive it. Taking this opportunity, the editorial office recommends a worthy interview with a cybersecurity specialist who works there.
Message from CERT-UA.
«Babel'»
According to the data available to the editorial staff of Babel, it is impossible to identify the author of the attack. We do not know who organized it. The day before, on June 17, MP Yaroslav Zheleznyak stated in his Telegram channel that Babel was hiding its real owners, and called for sending him “detailed information”.
“I will engage in media killing,” he wrote. Today, he dedicated two posts to Babel in his Telegram channel, without voicing his claims in substance.
Screenshot of Yaroslav Zheleznyakʼs Telegram channel.
For more news and in-depth stories from Ukraine, please follow us on X.