Ukraine’s Computer Emergency Response Team (CERT-UA) revealed recently that users of the country’s Delta military intelligence program have been targeted with data-stealing malware.
According to CERT-UA, the attackers have used hacked email accounts belonging to Ministry of Defense employees, as well as messaging applications, to send out messages informing recipients about the need to update certificates in the Delta system. The malicious messages carry documents containing links to archive files hosted on a fake Delta domain.
These files are designed to deploy two pieces of malware onto compromised systems, including one named FateGrab, which harvests emails, databases, scripts and documents, and one called StealDeal, which collects internet browser and other data.
Ukraine has attributed the attack to a group it tracks as UAC-0142, but has not shared any other information on who may be behind the attack.
However, Russia has been known to target the Delta system. Ukrainian journalist Yuriy Butusov said Russian hackers gained limited access to the system earlier this year, but claimed they did not manage to obtain any important information. Butusov’s comments on the subject came after Russia claimed that the Delta system had been hacked.
Ukraine’s Delta system collects information about the enemy, helps coordinate defense forces, and provides situational awareness. It has been touted as a very valuable resource in Ukraine’s arsenal, which likely makes it an important target for Russia’s cyberwarriors.
Russia has intensified cyberattacks against Ukraine since it started planning the country’s invasion, often using wiper malware to cause disruption.
The main concern is that Russia could launch massive cyberattacks targeting critical infrastructure, as shown in the attack involving the Industroyer2 industrial control system (ICS) malware — used earlier this year against a Ukrainian energy provider — and the Pipedream/Incontroller malware designed to manipulate and disrupt industrial processes.