BlogNews14TH DEC 2023
AuthorSamir Yawar
9 min read
News

Kyivstar, Russian Tax Agency and BazarCall Attacks dominate headlines

Twitter
Facebook
WhatsApp
Email
LinkedIn
Take a look at the newest cybersecurity news and incidents that made headlines in the run up to December 15, 2023.

This week, we saw a rise in cyber attacks by warring nation-states as well as a new threat vector that makes phishing detection by traditional anti-phishing tools difficult. We go into detail regarding how the Kyivstar, Russian Tax Agency, and BazarCall Attacks unfolded.

Cybersecurity News Roundup for Dec 15, 2023


These cybersecurity developments affected the lives of millions of people this week:

Ukraine Telecoms Provider Kyivstar hit by cyber attacks

Kyivstar, the largest telecommunications service provider in Ukraine with more than 25 million mobile and home internet subscribers, has experienced a cyberattack affecting mobile and data services.

Their official website remains inaccessible. The company has notified its subscribers through its social media channels that it fell victim to a cyberattack earlier today. This incident has resulted in a technical malfunction affecting mobile communication and internet access.

A screenshot of Kyivstar's Facebook status
Kyistar informs customers about cyber attacks | Source: Facebook

Kyivstar has reported the incident to law enforcement agencies and various state services. The Security Service of Ukraine (SSU) has initiated criminal proceedings under 8 articles of the Ukrainian criminal code and has announced the involvement of its special agents in the ongoing investigations.

Independent internet observatory NetBlocks has verified that Kyivstar's internet services are presently inaccessible.

Given the ongoing conflict between Ukraine and Russia, there is a possibility that Russian hackers may have orchestrated the attack, as indicated by statements from the SSU and Kyivstar's CEO. However, it's important to note that the precise origin of the attack has not been officially confirmed at this time.

Russia’s Tax Agency Taken Down by Ukrainian Military Hackers

The Ukrainian government's military intelligence service has claimed responsibility for a cyber intrusion into the Russian Federal Taxation Service (FNS). According to reports, the hack resulted in the complete removal of the agency's database and its backup copies.

In the aftermath of this operation, executed by cyber units affiliated with Ukraine's Defence Intelligence, military intelligence personnel successfully infiltrated the central servers of Russia's federal taxation service, as well as 2,300 regional servers situated both in Russia and in territories currently under Ukrainian control.

As a consequence of the breach, all affected Federal Taxation Service (FTS) servers fell victim to malware, and an associated attack targeted a Russian IT company responsible for providing data center services to the FNS. The impact of the incident extended further, reportedly causing the comprehensive removal of crucial configuration files essential for the operation of Russia's expansive taxation system. This action resulted in the erasure of both the primary database and its backup copies.

According to Ukraine's Main Directorate of Intelligence (GUR), the aftermath of the cyberattack has resulted in severe consequences, leading to a breakdown in communication between Moscow's central office and the 2,300 territorial departments that were also compromised in the attack.

GUR asserts that this has resulted in a virtual collapse of one of Russia's crucial governmental agencies, causing a substantial loss of tax-related data. Internet traffic related to tax data across Russia has reportedly fallen under the control of Ukraine's military hackers.

Google Forms used to launch phishing emails in BazarCall Attack

In the latest wave of BazarCall attacks, a novel technique involves the utilization of Google Forms to craft and dispatch payment receipts to victims. This method is employed in an effort to enhance the credibility of the phishing attempt by making it appear more legitimate.

BazarCall, initially identified in 2021, is a phishing attack strategy that involves sending deceptive emails designed to mimic payment notifications or subscription confirmations from reputable entities such as security software providers, computer support services, streaming platforms, and other widely recognized brands.

How does the new BazarCall attack work?

Within these emails, recipients are informed that they are being automatically enrolled in an exceedingly expensive subscription and are advised to cancel it promptly if they wish to avoid charges.

Traditionally, rather than providing a hyperlink to a website, the email historically features a phone number. This number purportedly connects to a customer service representative associated with the mentioned brand. Recipients are encouraged to contact this agent to dispute charges or initiate the subscription cancellation.

The Google Forms sample used to launch BazarCall attack
A screenshot of the BazarCall Attack in action | Source: Google Forms

Upon calling the provided number, unsuspecting victims are met with a cybercriminal posing as a customer support representative. This deceptive interaction is designed to mislead victims into unwittingly installing malware on their computers through a carefully guided process.

The specific malware involved in this scheme is known as BazarLoader. As implied by its name, BazarLoader functions as a tool for installing additional payloads onto the victim's system, thereby compromising the security and integrity of their computer.

According to reports from email security firm Abnormal, a new variant of the BazarCall attack has surfaced, now leveraging Google Forms in its deceptive tactics.

Google Forms is a freely available online tool that enables users to create customized forms and quizzes, integrate them on websites, and share them with others.

In this updated attack method, the assailant constructs a Google Form containing fabricated details of a non-existent transaction, including the invoice number, date, payment method, and miscellaneous information related to the purported product or service used as bait.

Subsequently, the attacker activates the "response receipt" feature in the form settings, causing a duplicate of the completed form to be sent to the provided email address. Using the target's email address, a seemingly authentic payment confirmation, resembling a completed form, is dispatched to the target directly from Google's servers.

What makes the new attack difficult to detect?

Given that Google Forms is a legitimate service, traditional email security tools may not raise flags or block the phishing email, ensuring successful delivery to the intended recipients.

The email's apparent legitimacy is further enhanced by its origin from a Google address ("[email protected]"), adding an additional layer of credibility to the phishing attempt.

The invoice copy attached to the email incorporates a phone number belonging to the threat actor. Recipients are instructed to call this number within a 24-hour window from receiving the email to address any disputes, introducing a sense of urgency to the scheme.

While Abnormal's report doesn't delve into the subsequent stages of the attack, it is worth noting that BazarCall has been historically employed to gain initial access to corporate networks, often serving as a precursor to ransomware attacks.

Previous Coverage

You can check out our coverage of weekly cyber incidents here:


Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Sharing sensitive information can make you a target for cybercriminals. It's essential to keep personal and confidential information off-limits to anyone, even if the request seems legitimate.