Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces. The phishing attacks have been attributed to a Russia-linked threat actor called UAC-0185 (aka UNC4221), which has been active since at least 2022. "The phishing emails mimicked official messages
Analysis Summary
# Threat Actor: UAC-0185 (aka UNC4221)
## Attribution & Identity
* **Attribution:** Russia-linked threat actor.
* **Known Aliases/Associations:** UNC4221 (as exposed by Mandiant).
* **Historical Activity:** Active since at least 2022.
## Activity Summary
CERT-UA has reported a new campaign involving phishing attacks specifically targeting Ukrainian defense companies and security/defense forces. These attacks utilized emails impersonating the Ukrainian League of Industrialists and Entrepreneurs, advertising a conference on aligning defense industry products with NATO standards. The goal of this activity appears to be intelligence gathering, specifically credential theft and unauthorized access to critical military systems.
## Tactics, Techniques & Procedures
* **Delivery:** Phishing emails containing malicious URLs.
* **Execution Chain:**
1. Recipient clicks URL, leading to the download of a Windows shortcut file (.LNK).
2. The shortcut executes an HTML Application (HTA).
3. The HTA contains JavaScript code used to run obfuscated PowerShell commands.
4. The initial payload drops additional components: a decoy file, a ZIP archive containing a batch script, another HTA, and an executable.
5. The batch script is launched to execute the final HTA, which deploys the remote access tool.
* **Persistence/Control:** Deployment of the **MeshAgent** binary to establish remote control.
## Targeting
* **Sectors:** Defense industry/companies, Security and Defense Forces.
* **Geography:** Ukraine.
* **Victims:** Workers and representatives within Ukrainian defense and security sectors.
* **Objective Focus:** Stealing credentials related to messaging apps (Signal, Telegram, WhatsApp) and specific Ukrainian military systems (DELTA, Teneta, Kropyva).
## Tools & Infrastructure
* **Malware families used:** MeshAgent (used for remote control).
* **Infrastructure:** Malicious URLs embedded in phishing emails. (Specific URLs/IPs were not provided in the text, only the mechanism of delivery).
## Implications
UAC-0185 maintains a persistent focus on Ukraine's defense apparatus, leveraging sophisticated, multi-staged infection chains designed to bypass common security measures. The actor's primary goal is the exfiltration of credentials for messaging apps and specialized military software, indicating an intelligence-gathering objective highly relevant to ongoing geopolitical conflicts.
## Mitigations
* Heightened vigilance against phishing emails, especially those mimicking official organizations or professional events (e.g., industry conferences).
* Implement controls to monitor and restrict the execution of potentially harmful file types like Windows shortcut files (.LNK) and HTML Applications (.HTA) delivered via email.
* Monitor networks for the unauthorized deployment or beaconing activity associated with remote access tools like MeshAgent.
* Enforce strong credential management, especially multi-factor authentication, for critical military and defense-related systems (DELTA, Teneta, Kropyva).