Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

Newly identified staging infrastructure overlaps with tactics, techniques, and procedures (TTPs) previously attributed to the group and shows that the threat actor continues its attacks on Ukrainian targets likely in support of Russia’s military actions in Ukraine.

UAC-0113 has been linked by the Computer Emergency Response Team of Ukraine (CERT-UA) to the advanced persistent threat (APT) actor Sandworm (also known as Telebots, Iron Viking and Voodoo Bear), which is likely part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

In June 2022, a CERT-UA report detailed UAC-0113’s use of the DarkCrystal remote access trojan (RAT) to target entities interested in legal matters related to Ukrainian military service personnel.

However, a recently identified malicious ISO file shows that the group has switched to the use of two other malware families, namely Colibri Loader and Warzone RAT. The attackers employ HTML smuggling for malware delivery, Recorded Future says.

DarkCrystal RAT, Colibri Loader, and Warzone RAT are commodity malware families that can be purchased on various underground forums and which are popular among various threat actors, providing them with a broad range of capabilities, including data theft and payload downloading.

After taking a deep dive into domains recently associated with UAC-0113, as well as their connecting IP addresses, Recorded Future identified additional infrastructure used by the threat actor, as well as overlaps with infrastructure previously attributed to the group, including the use of the same LS certificate provider for multiple domains.

Domains identified in July and August 2022 are spoofing telecommunications operators in Ukraine, but also telecoms company Starlink, which is operated by American company SpaceX.

An ISO file contained within the malicious webpage is automatically downloaded onto the visitors’ computers via HTML smuggling. The employed technique and JavaScript code on the page show similarities with APT29 (Cozy Bear), another prolific Russian cyberespionage group.

“It is currently unknown why there is a similarity overlap between the 2 threat actor groups’ use of this ISO delivery functionality; one hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase,” Recorded Future notes.

Related: More Russian Attacks Against Ukraine Come to Light

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: Russian Cyberspies Target Diplomats With New Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.