Confirmed Russian Cyberattacks Trigger New Alerts in Windows Security
Confirmed Russian Cyberattacks Trigger New Alerts in Windows Security
Since at least seven recorded operations since 2022, experts in threat intelligence have noted an increase in activities from the Paper Werewolf cluster, also known as GOFFEE. This group employs infected Word documents on Microsoft Windows for primarily espionage-driven, credential-stealing attacks.
The Increased Activities of Paper Werewolf
BI.ZONE's threat intelligence team, working alongside Interpol and the International Committee of the Red Cross global advisory board, reported in a December 25 technical bulletin a rise in Paper Werewolf's operations. These attacks have predominantly targeted Russian government, energy, financial, and media organizations, among others. Over the year 2024, espionage accounted for 21% of attacks against Russian companies, which is an escalation from 15% the previous year. A more worrying trend is that these Paper Werewolf attackers now display satisfaction in disrupting their targets' infrastructure out of spite, once they have achieved their initial credential compromise and espionage goals.
According to Oleg Skulkin, head of threat intelligence at BI.ZONE, once the adversaries infiltrate a victim's IT infrastructure for data collection purposes, they also cause some operational disruption. They accomplish this by altering employee account passwords, a tactic often used by "financially motivated actors when extorting ransom for restoring access to company assets" or by hacktivists aiming for maximum public attention.
The Windows Werewolf Attack Methodology
Like other attack campaigns, Paper Werewolf relies on phishing emails and brand impersonation to distribute its malicious payload. These messages contain an encrypted Word document that requires the recipient to enable macros to read it. If the recipient obeys, then the document's content is decrypted, and the malicious software is installed on their device. In some instances, the threat intelligence analysts observed the implementation of PowerRAT, a remote access trojan, allowing the attackers to carry out commands and conduct reconnaissance. They also utilized a tool to collect credentials during user authorization in the Outlook Web Access service. As the report notes, "By using their own tools, the attackers make it more challenging for corporate defenses to identify the malicious activity."
Should there be any remedy to mitigate this Windows Werewolf attack, it may be found in the fundamentals of phishing awareness: avoid opening unsolicited documents, refrain from enabling macros, and implement threat intelligence to better comprehend how threat actors alter their strategies to target specific infrastructures. I would also encourage everyone to look into this insightful dialog about the necessary changes if we ever hope to eradicate the email phishing threat. Microsoft has been contacted for comment.
- In response to the ongoing cyberattacks by the Paper Werewolf cluster, Microsoft has strengthened the Windows security measures, particularly in handling and processing Microsoft Word documents to prevent unwanted executions and malware installations.
- The rise in cyberattacks by the Paper Werewolf, also known as GOFFEE, has prompted Russia to enhance its digital defense capabilities, focusing on improving its Windows attack response and mitigation strategies.
- During the December 25 technical bulletin, BI.ZONE's threat intelligence team also warned of the increasing instances of phishing attacks targeting coffee shops as a potential entry point for the Paper Werewolf's cyber espionage operations.
- The Windows Werewolf attackers have been using a sophisticated technique of injecting their malicious code into legitimate Microsoft Word documents, which could lead to a potential security breach in any platform using Windows and Microsoft Word software.
- The increasing frequency of Paper Werewolf's operations highlights the need for organizations to be vigilant about Windows security, regularly updating antivirus software, and implementing advanced threat protection to mitigate potential phishing attacks and cyber espionage.