Connect with us

Hi, what are you looking for?



Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

Newly identified staging infrastructure overlaps with tactics, techniques, and procedures (TTPs) previously attributed to the group and shows that the threat actor continues its attacks on Ukrainian targets likely in support of Russia’s military actions in Ukraine.

UAC-0113 has been linked by the Computer Emergency Response Team of Ukraine (CERT-UA) to the advanced persistent threat (APT) actor Sandworm (also known as Telebots, Iron Viking and Voodoo Bear), which is likely part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

In June 2022, a CERT-UA report detailed UAC-0113’s use of the DarkCrystal remote access trojan (RAT) to target entities interested in legal matters related to Ukrainian military service personnel.

However, a recently identified malicious ISO file shows that the group has switched to the use of two other malware families, namely Colibri Loader and Warzone RAT. The attackers employ HTML smuggling for malware delivery, Recorded Future says.

DarkCrystal RAT, Colibri Loader, and Warzone RAT are commodity malware families that can be purchased on various underground forums and which are popular among various threat actors, providing them with a broad range of capabilities, including data theft and payload downloading.

After taking a deep dive into domains recently associated with UAC-0113, as well as their connecting IP addresses, Recorded Future identified additional infrastructure used by the threat actor, as well as overlaps with infrastructure previously attributed to the group, including the use of the same LS certificate provider for multiple domains.

Domains identified in July and August 2022 are spoofing telecommunications operators in Ukraine, but also telecoms company Starlink, which is operated by American company SpaceX.

Advertisement. Scroll to continue reading.

An ISO file contained within the malicious webpage is automatically downloaded onto the visitors’ computers via HTML smuggling. The employed technique and JavaScript code on the page show similarities with APT29 (Cozy Bear), another prolific Russian cyberespionage group.

“It is currently unknown why there is a similarity overlap between the 2 threat actor groups’ use of this ISO delivery functionality; one hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase,” Recorded Future notes.

Related: More Russian Attacks Against Ukraine Come to Light

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: Russian Cyberspies Target Diplomats With New Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet