Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

Newly identified staging infrastructure overlaps with tactics, techniques, and procedures (TTPs) previously attributed to the group and shows that the threat actor continues its attacks on Ukrainian targets likely in support of Russia’s military actions in Ukraine.

UAC-0113 has been linked by the Computer Emergency Response Team of Ukraine (CERT-UA) to the advanced persistent threat (APT) actor Sandworm (also known as Telebots, Iron Viking and Voodoo Bear), which is likely part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

In June 2022, a CERT-UA report detailed UAC-0113’s use of the DarkCrystal remote access trojan (RAT) to target entities interested in legal matters related to Ukrainian military service personnel.

However, a recently identified malicious ISO file shows that the group has switched to the use of two other malware families, namely Colibri Loader and Warzone RAT. The attackers employ HTML smuggling for malware delivery, Recorded Future says.

DarkCrystal RAT, Colibri Loader, and Warzone RAT are commodity malware families that can be purchased on various underground forums and which are popular among various threat actors, providing them with a broad range of capabilities, including data theft and payload downloading.

After taking a deep dive into domains recently associated with UAC-0113, as well as their connecting IP addresses, Recorded Future identified additional infrastructure used by the threat actor, as well as overlaps with infrastructure previously attributed to the group, including the use of the same LS certificate provider for multiple domains.

Domains identified in July and August 2022 are spoofing telecommunications operators in Ukraine, but also telecoms company Starlink, which is operated by American company SpaceX.

An ISO file contained within the malicious webpage is automatically downloaded onto the visitors’ computers via HTML smuggling. The employed technique and JavaScript code on the page show similarities with APT29 (Cozy Bear), another prolific Russian cyberespionage group.

“It is currently unknown why there is a similarity overlap between the 2 threat actor groups’ use of this ISO delivery functionality; one hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase,” Recorded Future notes.

Related: More Russian Attacks Against Ukraine Come to Light

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: Russian Cyberspies Target Diplomats With New Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...