Malware, Threat Management, Threat Management, Critical Infrastructure Security

Trojanized Windows 10 installers compromised the Ukrainian government

A girl writes one a Ukrainian flag as people look at an exhibition of tanks and military equipment on display.
A girl writes one a Ukrainian flag as people look at an exhibition of tanks and military equipment on display Oct. 7, 2022, in Kyiv, Ukraine. (Photo by Ed Ram/Getty Images)

New research found a modified version of Windows 10 being distributed on popular Eastern European torrenting sites targeting Ukrainian entities, shining a light on growing supply chain risks associated with pirated software.

According to Mandiant, the operation leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers on torrenting sites — a peer-to-peer file-sharing platform popular for software piracy — and stole information from users who downloaded the malicious code.  

Mandiant said in a Dec. 15 post that the threat activity (tracked as UNC4166) was likely targeting Ukrainian entities because the trojanized files used a Ukrainian language pack and were distributed primarily on a Ukrainian torrent tracker. 

Tyler McLellan, principal threat analyst at Mandiant, told SC Media that the team has observed three Ukrainian government entities being compromised by the operation. 

While the threat actor remains unknown, Mandiant suspected that hackers are associated with Russia's main military intelligence unit — known as the GRU — as some victim organizations overlapped with ones that the GRU-associated group APT28 has previously targeted. 

In addition, Mandiant added that the operation does not appear to have any financial motivation and is more likely to serve the Kremlin with intelligence-gathering purposes. 

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicate that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant explained in the blog post.  

While the research highlighted continuous supply chain risks from alleged Russian-backed hackers, it also revealed Ukraine's limited ability to defend its cyber landscape under the widespread use of unlicensed software in Eastern Europe.  

"Pirated software is obtained and distributed illegally, which means there is no way to guarantee where it's coming from or what else it may contain. Often, file-sharing sites that offer pirated software have no verification or security scanning software in place to ensure the content is safe. Couple that with the fact that software is most frequently distributed in the form of portable executable fields, which run with escalated privileges on an operating system, and it becomes clear just how dangerous it is to mess with," said Jerrod Piker, competitive intelligence analyst at Deep Instinct.  

The widespread use of pirated software has been an unsolved issue for years in Eastern Europe as people there cannot afford licensed applications, said Andrew Barratt, vice president at Coalfire.  

Mike Parkin, senior technical engineer at Vulcan Cyber, added that though it is concerning from the security and business perspective, it is understandable why organizations would be comfortable with the known risk given the high cost of some applications.

While it can be hard to eradicate the long-term issue from the user end, SC Media reached out to Microsoft asking whether they provide any free or discounted software licenses for Ukrainian. A spokesperson from Microsoft said that the company announced last month that it will provide an additional $100 million technology aid — including implementation — to the Ukraine through calendar year 2023.

Increasing software supply chain risks associated with pirated software not only affect Ukraine. According to a Kaspersky's report in October, 18% of medium-sized U.S. businesses (50 to 999 employees) are ready to use pirated alternatives of business software to decrease IT spending due to the economic downturn.  

"With the current rate of inflation, renewing license on software can become a much larger burden. No doubt this trend will continue as inflation continues to shrink revenues around the globe," Piker said.  

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.