Ukrainian media has been hit by the industrial Win32 / Potao virus even since the "Revolution of Dignity". ProtectMaster team actively engages with different group of journalists: already suffered and ones who were in danger.
We managed to get virus’ source code. It was a well done one likely to widely known Stuxnet and BlackEnergy viruses that attacked nuclear and power plants. Contrary to them, Win32/Potao is designed for data theft and cyber espionage.
Virus Potao was used in large-scale cyber attacks having the specific targets. A personal message was applied to deliver the virus to a victim. Similarly, the Ukrainian journalists were attacked in February 2015. The hackers registered a domain fictitious delivery services MNTExpress copying Pony Express website design.
How did the attack happen? The virus creator sent a SMS-message from non-existent delivery service. One reported that a package just arrived and a user must visit the site and enter a code to get delivering details. After entering a code the user was prompted to download a document with relevant information. Once the document is opened, so-called dropper infected a computer and sent all its information to the attacker.
Our experts prevented the huge data leakage from Ukrainian journalists due to timely response and understanding a mechanism of the virus attack.