Security Experts:

Connect with us

Hi, what are you looking for?



Google Details Recent Ukraine Cyberattacks

Over the past five months, Google has been tracking a financially motivated threat actor known as UAC-0098, which has been conducting multiple malicious campaigns targeting various entities in Ukraine and Europe.

Over the past five months, Google has been tracking a financially motivated threat actor known as UAC-0098, which has been conducting multiple malicious campaigns targeting various entities in Ukraine and Europe.

The group’s activities closely align with those of Russian government-backed attackers, and Google’s Threat Analysis Group (TAG) believes that at least some of UAC-0098’s members are former members of the Conti ransomware gang.

UAC-0098 is widely known for using the IcedID banking trojan in attacks that led to the deployment of human-operated ransomware, operating as an access broker for ransomware groups such as Quantum and Conti.

Recently, however, the threat actor has been targeting the Ukrainian government, various organizations in the country, and European humanitarian and non-profit organizations.

In late April, UAC-0098 was seen launching an email phishing campaign to deliver AnchorMail, a variant of the Anchor backdoor developed by the Conti group, which was previously installed as a TrickBot module.

{ Read: Conti Ransomware ‘Acquires’ TrickBot as It Thrives Amid Crackdowns }

The attacks appeared both financially and politically motivated, and also stood out because LackeyBuilder and batch scripts were used to build AnchorMail on the fly, Google says.

From mid-April to mid-June, the group was seen launching email campaigns targeting organizations in the hospitality industry in Ukraine with malware such as IcedID and Cobalt Strike.

In one campaign in May, the attackers sent phishing emails impersonating the National Cyber Police of Ukraine, while in another they used a compromised account of a hotel in India. The same email account was also used to target humanitarian NGOs in Italy, also with IcedID.

Also in May, UAC-0098 sent phishing emails impersonating representatives of Elon Musk and StarLink. Some of these emails targeted various Ukrainian organizations in the government, retail, and technology sectors.

In late May, the threat actor targeted the Academy of Ukrainian Press (AUP) with phishing emails linking to a malicious document on Dropbox, which would fetch a Cobalt Strike dll. Organizations in the hospitality industry were also targeted by these emails.

In June, UAC-0098 was seen exploiting CVE-2022-30190, a Windows vulnerability also known as Follina. Google says it disrupted a spam campaign with more than 10,000 emails impersonating the State Tax Service of Ukraine, which fetched a Cobalt Strike beacon.

“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,” Google notes.

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: USCYBERCOM Releases IoCs for Malware Targeting Ukraine

Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.