Security Experts:

Connect with us

Hi, what are you looking for?



USCYBERCOM Releases IoCs for Malware Targeting Ukraine

The United States Cyber Command (USCYBERCOM) this week released indicators of compromise (IoCs) associated with malware families identified in recent attacks targeting Ukraine.

The United States Cyber Command (USCYBERCOM) this week released indicators of compromise (IoCs) associated with malware families identified in recent attacks targeting Ukraine.

The malware samples were found by the Security Service of Ukraine on various compromised networks in the country, which has seen an increase in cyber activity since before the beginning of the Russian invasion in February 2022.

USCYBERCOM has released 20 novel indicators in various formats representing IoCs identified during the analysis of recently identified malware samples, but has not shared further information on the attacks.

“Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations,” USCYBERCOM notes.

According to Mandiant, both public and private entities in the country have been targeted by several cyberespionage groups that used spear phishing with lures claiming urgency to gain access to networks of interest. However, the researchers did not gain visibility into follow-on activities.

“The malware used in these intrusion attempts would enable a wide variety of operations and these groups have previously conducted espionage, information operations and disruptive attacks,” Mandiant notes.

One threat actor targeting Ukraine is UNC1151, which is likely sponsored by Belarus, and which is believed to be offering technical support to the Ghostwriter disinformation campaigns. The group has continued to be highly active since the beginning of the Russian invasion.

Another adversary active in Ukraine is UNC2589, which is likely sponsored by the Russian government, and which is believed to be responsible for the January 2022 Whispergate cyberattacks. Over the past months, the hacking group was also observed targeting NATO member states in North America and Europe.

UNC2589 was seen using spear phishing themes such as Covid-19, government-related lures, the war in Ukraine, and general-purpose themes to deploy malware such as Grimplant – a Go-based backdoor that performs system surveillance and command execution – and Graphsteel – a modified, weaponized version of goLazagne, which can harvest various types of information from the target system.

UNC1151 has been targeting government and media entities in Ukraine, Latvia, Lithuania, Germany, and Poland, but it has focused mainly on Ukraine and Poland since February 2022. The cyberespionage group has been observed using Cobalt Strike Beacon – a backdoor with file transfer and shell command execution capabilities – and Microbackdoor – which can transfer files, execute commands, take screenshots, and update itself.

Related: Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies

Related: Google, EU Warn of Malicious Russian Cyber Activity

Related: Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...