Full Report
The hackers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, which is close to Russia.
Analysis Summary
# Threat Actor: UAC-0226
## Attribution & Identity
Attribution has not been explicitly made to a known threat group by CERT-UA, but the activity is being tracked internally under the identifier **UAC-0226**. The threat actors are leveraging social engineering tactics involving impersonation.
## Activity Summary
The identified threat actors have been conducting espionage campaigns since at least February targeting Ukrainian entities. They are using highly customized spearphishing campaigns that impersonate Ukrainian drone manufacturers and state agencies. The goal appears to be the deployment of information-stealing malware.
In a separate, but potentially related, activity reported by CERT-UA in March, hackers targeted Ukrainian government agencies and critical infrastructure with new spying malware dubbed **Wrecksteel**.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing emails sent from compromised accounts (including webmail).
- **Social Engineering:** Impersonating legitimate organizations (drone companies, state agencies) with lures related to war efforts, such as landmine clearance, drone production, or compensation for destroyed property. Email attachments (malicious documents) were used.
- **File Execution:** Secondary campaigns utilized links to public file-sharing services (DropMeFiles, Google Drive) that triggered the execution of a PowerShell script upon opening.
- **Data Exfiltration:** Stolen data (from a specific malware) is compressed and exfiltrated via **Telegram**.
- **Data Collection (Wrecksteel):** The Wrecksteel campaign involved extracting text documents, PDFs, images, and presentations, and capturing screenshots.
- **Custom/Open-Source Tooling:** One deployed malware was based on publicly available code from a GitHub repository.
## Targeting
- **Sectors:** Armed forces, law enforcement agencies, and local government bodies. Critical infrastructure was also mentioned in relation to a separate campaign using Wrecksteel malware.
- **Geography:** Ukraine, specifically targeting entities near the eastern border close to Russia.
- **Victims:** Ukraine’s armed forces, law enforcement agencies, and local government bodies.
## Tools & Infrastructure
- **Malware Families used:**
- Information stealer designed to steal browser data (cookies, history, saved passwords) from Chrome, Edge, and Firefox.
- A script based on publicly available GitHub code.
- **GiftedCrook** (Info-stealer).
- **Wrecksteel** (Spying malware used in March targeting infrastructure).
- **Infrastructure:**
- Exfiltration channel: **Telegram**.
- File-sharing services used for payload delivery: DropMeFiles and Google Drive.
## Implications
This activity indicates a focused, persistent espionage effort against Ukrainian governmental and defense structures, utilizing effective social engineering tailored to the current conflict environment (drones, compensation, demining). The dual use of bespoke info-stealers (GiftedCrook) and potentially more advanced custom spying tools (Wrecksteel) suggests a sophisticated adversary prioritizing intelligence gathering within the Ukrainian state apparatus.
## Mitigations
- Implement heightened scrutiny for emails referencing local conflict topics (drone production, compensation, landmine clearance), especially those originating from external or compromised webmail accounts.
- Be cautious of attachments or links delivered via spearphishing campaigns.
- Review configurations for PowerShell execution policies and restrict the use of file-sharing services for sensitive document access within government networks.
- Monitor for indicators related to the GiftedCrook malware, specifically looking for data compression and exfiltration activity directed towards Telegram channels.