Ukraine’s cybersecurity agency has discovered malicious activities from a criminal group targeting its armed forces and defense enterprises.
Released by the Computer Emergency Response Team of Ukraine (CERT-UA), the update revealed a campaign involving the distribution of phishing emails to victims in the form of legitimate invitations to a military conference held in Kyiv in early December.
The instances were attributed to an unnamed group tagged as UAC-0185 or UNC4221, which has been active since 2022 following Russia’s invasion of Ukraine the same year.
CERT-UA said that the approach enables the download and launch of a program classified as a remote agent that will connect the hacker secretly with the affected device. The software will then delete some of its download traces after the initial steps are completed.
“The email contained a hyperlink saying ‘The attachment contains important information for your participation,’” a statement from the Ukrainian Service for Special Communications and Information Protection said.
“Clicking on this link and then opening the attached files could lead to infection of your computer.”
⚡️CERT-UA detected a new series of phishing attacks by the UAC-0185 group. These hackers have been active since 2022, mostly focusing on stealing accounts in messaging apps & Ukrainian military systems like DELTA or Kropyva.
Learn more👉https://t.co/RRx2DVZcI3#cybersec #hacker pic.twitter.com/vmYsZrTCOv— SSSCIP Ukraine (@SSSCIP) December 9, 2024
Threat Actor UAC-0185
Since its first detection, UAC-0185 has been implicated in stealing credentials through messaging applications such as Telegram, Signal, WhatsApp, and other local military systems including Kropyva, Teneta, and Delta.
The group has already been linked to unauthorized remote access of military enterprises and defense force users in previous investigations, according to CERT-UA.
In June, the Ukrainian government published a separate report on a pro-Russian cyber group operating with a similar method and purpose.
Another large-scale campaign was detected in September 2023, which was associated with the unauthorized access of war crime data that Russia had allegedly committed against Ukraine.
Bolstering Cyber Posture
Kyiv revealed its intent in October to establish an armed forces branch focusing on the cyber domain in response to the surge of digital assaults experienced since Moscow’s invasion.
This followed January military aid from ally Denmark to fund Ukraine’s cyber defense capabilities and repair related infrastructure amidst Russia’s aggression.
In late 2023, Ukraine launched a competency program to hone the skills of troops against cyber disruptions.
