Ukraine Hackers Claimed Cyberattack on Major Russian Drone Supplier
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Last week, Ukraine\u2019s Main Intelligence Directorate (GUR) orchestrated a sophisticated cyberattack against Gaskar Integration, a leading Russian drone manufacturer.<\/p>\n
The operation began with reconnaissance of the company\u2019s public-facing infrastructure, where threat actors identified vulnerable remote desktop services and outdated VPN gateways.<\/p>\n
Leveraging a zero-day in a third-party web application firewall, the attackers gained initial foothold within the corporate network. Once inside, they deployed custom malware<\/a> that exploited Windows Management Instrumentation (WMI) to execute lateral movement and harvest credentials.<\/p>\n Hromadske analysts noted<\/a> that the malicious payload incorporated a dual-stage loader written in C++ and PowerShell.<\/p>\n The first stage established persistence via a malicious WMI subscription, while the second stage decrypted a reverse-shell implant in memory.<\/p>\n Communications were tunneled over TLS<\/a> using forged certificates that mimicked the company\u2019s own public key infrastructure.<\/p>\n The malware\u2019s command-and-control (C2) infrastructure was hosted on compromised industrial control system servers, further complicating attribution and takedown efforts.<\/p>\n By the time defenders detected anomalous network traffic, the attackers had exfiltrated more than 47 TB of technical data, including drone design schematics, production logs, and employee records.<\/p>\n All backup copies on the victim\u2019s servers were irreversibly deleted, effectively crippling Gaskar\u2019s manufacturing and accounting operations.<\/p>\n Workers were locked out of production software and physical access systems, with only fire exits remaining functional.<\/p>\n Hromadske researchers identified key modules of the implant by reverse-engineering its unpacker.<\/p>\n The malware\u2019s infection mechanism hinged on the exploitation of a WAF bypass<\/a>. After gaining access, the attackers uploaded a tiny dropper\u2014less than 15 KB\u2014that executed a Base64-encoded PowerShell one-liner.<\/p>\n This script reached out to a hard-coded C2 domain, downloaded an encrypted payload<\/a>, and invoked it entirely in memory to evade disk-based detection.<\/p>\n The persistent WMI event filter was crafted as follows:-<\/p>\n This ensures execution on every system clock tick, granting the implant high survivability even after reboot.<\/p>\n Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post Ukraine Hackers Claimed Cyberattack on Major Russian Drone Supplier<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism<\/strong><\/h2>\n
$filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter `\n -Arguments @{\n Name = \"SysUpdateFilter\"\n EventNameSpace = \"rootcimv2\"\n QueryLanguage = \"WQL\"\n Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'\"\n }\nSet-WmiInstance -Namespace rootsubscription -Class __FilterToConsumerBinding `\n -Arguments @{\n Filter = $filter\n Consumer = $consumer\n }<\/code><\/pre>\n