Sandworm, one of Russia's most capable state hacking groups, has started borrowing a technique that until recently belonged mainly to financially motivated criminals.
Ukraine's CERT issued a warning Wednesday that Sandworm - the offensive cyber unit of the GRU, Russia's military intelligence agency - has been running Clickfix attacks against Ukrainian organizations since spring, with the campaign continuing through the summer. The method uses attacker-controlled websites that display a fake CAPTCHA, instructing visitors to copy a PowerShell command and paste it into their terminal. Ukrainian authorities identified 10 compromised websites used in the campaign. At least one organization suffered a network breach after a connected device was found infected with FreakyPoll, one of Sandworm's custom malware packages; the campaign also involves tools the group has named GhettoVibe and ScoutCurl.
Clickfix has been effective precisely because it sidesteps conventional defenses by manipulating the user directly. That a group with Sandworm's resources and technical depth is reaching for a technique popularized by financially motivated criminals suggests the approach works well enough to clear the bar for nation-state operations - and it complicates attribution by blending into a noisy background of lower-tier threat activity.
Sandworm has been linked to some of the most damaging cyberattacks on record, including the 2015 and 2016 assaults on Ukraine's power grid and the NotPetya wiper campaign. Adding commodity-adjacent social engineering to that toolkit is either a sign of how effective Clickfix has become, or a deliberate move to muddy the forensic trail - likely both.