Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Google Details Recent Ukraine Cyberattacks

Over the past five months, Google has been tracking a financially motivated threat actor known as UAC-0098, which has been conducting multiple malicious campaigns targeting various entities in Ukraine and Europe.

Over the past five months, Google has been tracking a financially motivated threat actor known as UAC-0098, which has been conducting multiple malicious campaigns targeting various entities in Ukraine and Europe.

The group’s activities closely align with those of Russian government-backed attackers, and Google’s Threat Analysis Group (TAG) believes that at least some of UAC-0098’s members are former members of the Conti ransomware gang.

UAC-0098 is widely known for using the IcedID banking trojan in attacks that led to the deployment of human-operated ransomware, operating as an access broker for ransomware groups such as Quantum and Conti.

Recently, however, the threat actor has been targeting the Ukrainian government, various organizations in the country, and European humanitarian and non-profit organizations.

In late April, UAC-0098 was seen launching an email phishing campaign to deliver AnchorMail, a variant of the Anchor backdoor developed by the Conti group, which was previously installed as a TrickBot module.

{ Read: Conti Ransomware ‘Acquires’ TrickBot as It Thrives Amid Crackdowns }

The attacks appeared both financially and politically motivated, and also stood out because LackeyBuilder and batch scripts were used to build AnchorMail on the fly, Google says.

From mid-April to mid-June, the group was seen launching email campaigns targeting organizations in the hospitality industry in Ukraine with malware such as IcedID and Cobalt Strike.

Advertisement. Scroll to continue reading.

In one campaign in May, the attackers sent phishing emails impersonating the National Cyber Police of Ukraine, while in another they used a compromised account of a hotel in India. The same email account was also used to target humanitarian NGOs in Italy, also with IcedID.

Also in May, UAC-0098 sent phishing emails impersonating representatives of Elon Musk and StarLink. Some of these emails targeted various Ukrainian organizations in the government, retail, and technology sectors.

In late May, the threat actor targeted the Academy of Ukrainian Press (AUP) with phishing emails linking to a malicious document on Dropbox, which would fetch a Cobalt Strike dll. Organizations in the hospitality industry were also targeted by these emails.

In June, UAC-0098 was seen exploiting CVE-2022-30190, a Windows vulnerability also known as Follina. Google says it disrupted a spam campaign with more than 10,000 emails impersonating the State Tax Service of Ukraine, which fetched a Cobalt Strike beacon.

“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,” Google notes.

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: USCYBERCOM Releases IoCs for Malware Targeting Ukraine

Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.