Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate
Analysis Summary
# Incident Report: WRECKSTEEL Malware Attacks Targeting Ukrainian State Systems
## Executive Summary
CERT-UA reported a series of cyberattacks targeting three Ukrainian state administration bodies and critical infrastructure facilities with the goal of stealing sensitive data. The attackers utilized sophisticated phishing campaigns, leveraging compromised email accounts and legitimate services (DropMeFiles, Google Drive) to deliver the WRECKSTEEL malware, a VBS loader combined with PowerShell scripts, leading to file harvesting. The campaign, attributed to threat cluster UAC-0219, has been active since at least Fall 2024.
## Incident Details
- **Discovery Date:** Reported April 4, 2025 (based on reporting date)
- **Incident Date:** Ongoing since at least Fall 2024
- **Affected Organization:** State administration bodies and critical infrastructure facilities in Ukraine
- **Sector:** Government, Critical Infrastructure
- **Geography:** Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since Fall 2024 (earliest known activity)
- **Vector:** Phishing via compromised email accounts.
- **Details:** Attackers sent malicious emails impersonating Ukrainian government agencies, often claiming threats like salary cuts, to induce urgency and prompt clicks. Links were embedded in the email body or within PDF attachments, directing victims to legitimate file-sharing services like DropMeFiles and Google Drive. Early iterations used EXE binaries.
### Lateral Movement
- **Details:** Not explicitly detailed, but subsequent stages involved PowerShell scripts running commands suggestive of discovery and data collection after initial malware execution.
### Data Exfiltration/Impact
- **Details:** The primary objective was to steal sensitive data. The executed malware components were capable of harvesting files matching specific extensions and capturing screenshots.
### Detection & Response
- **How it was discovered:** Reported by the Computer Emergency Response Team of Ukraine (CERT-UA).
- **Response actions taken:** CERT-UA analysis and public reporting of the activity and malware characteristics.
## Attack Methodology
- **Initial Access:** Phishing links delivered via compromised email accounts, often pointing to DropMeFiles or Google Drive hosting a VBS loader.
- **Persistence:** Not explicitly detailed, but initial execution via VBS loader/PowerShell suggests execution upon user interaction.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Used legitimate services (DropMeFiles, Google Drive) for initial delivery to bypass perimeter defenses; VBS loader disguised initial execution.
- **Credential Access:** Not explicitly detailed, though screen capture implies potential for harvesting credentials indirectly.
- **Discovery:** PowerShell script capable of harvesting specific file extensions and capturing screenshots.
- **Lateral Movement:** Not explicitly detailed.
- **Collection:** File harvesting based on extensions and screenshot capture.
- **Exfiltration:** Implied as the ultimate goal, though specific methods were not detailed in the context.
- **Impact:** Theft of sensitive data from targeted state and critical infrastructure systems.
## Impact Assessment
- **Financial:** Not detailed.
- **Data Breach:** Sensitive data from state administration bodies and critical infrastructure facilities, scope (volume/type) not specified.
- **Operational:** Potential disruption to targeted government and infrastructure entities due to ongoing reconnaissance and data theft.
- **Reputational:** Damage to public trust in the security of state systems.
## Indicators of Compromise
*(Note: IoCs are not explicitly listed in the source text, only tool names.)*
- **Network indicators:** Not detailed (Defanged potential C2 structure undisclosed).
- **File indicators:** WRECKSTEEL (VBS loader and PowerShell malware).
- **Behavioral indicators:** Use of VBS script to fetch and execute PowerShell payload; execution of file harvesting commands; screenshot capturing.
## Response Actions
- **Containment measures:** Not detailed in the provided text, generally implied to be managed by CERT-UA analysis.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed.
## Lessons Learned
- **Key takeaways:** Threat actors are continually using legitimate file-sharing services (DropMeFiles, Google Drive) as reliable download chains for malware delivery. Credentialed users and compromised inboxes are a highly effective initial access vector.
- **What could have been done better:** Improved email filtering and stricter application control policies to prevent VBS/PowerShell execution from unexpected file types or locations.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement enhanced protective measures for VBScript and PowerShell execution, especially when triggered by email attachments or external links.
2. Review and strengthen controls on the use of cloud storage services linked in internal communications, or deploy network egress filtering to restrict traffic to known malicious domains if possible.
3. Enhance security awareness training focusing specifically on social engineering tactics involving false urgency (e.g., salary threats).
4. Implement robust endpoint detection and response (EDR) solutions capable of monitoring and blocking file harvesting activities and screenshot capture behaviors indicative of the WRECKSTEEL chain.