Full Report
The hacking group has been distributing phishing emails spoofing officials from Ukraine’s Ministry of Justice. The campaign follows news that suspected Russian military hackers breached Kyiv state registers in December.
Analysis Summary
# Incident Report: UAC-0173 Campaign Targeting Ukrainian Notaries with DarkCrystal Backdoor
## Executive Summary
Hackers identified as UAC-0173 targeted Ukrainian notaries starting in mid-January by distributing phishing emails disguised as official communications from the Ministry of Justice. The main goal was to gain remote access and manipulate government registries using DarkCrystal malware. CERT-UA detected and intervened in the attacks across six regions, successfully preventing unauthorized registry modifications, though the full scope of compromise remains under investigation.
## Incident Details
- Discovery Date: Tuesday (when report was released, indicating campaign discovered prior)
- Incident Date: Mid-January (when phishing distribution began)
- Affected Organization: Notaries using systems connected to Ukrainian Government Registries
- Sector: Legal/Government Services (Justice System)
- Geography: Ukraine (Affected computers identified in six regions)
## Timeline of Events
### Initial Access
- Date/Time: Mid-January
- Vector: Phishing emails
- Details: Attackers posed as regional offices of Ukraine’s Ministry of Justice to trick recipients into executing malware.
### Lateral Movement
- Details: Attackers used various utilities for network scanning and data integrity monitoring, likely to map the environment and prepare for impact.
### Data Exfiltration/Impact
- Details: The ultimate goal was to manipulate government registries remotely. Attackers deployed DarkCrystal malware for surveillance, reconnaissance, and unauthorized code execution, and leveraged compromised machines to send further phishing waves.
### Detection & Response
- Date/Time: Over the weekend (Specific detection time relative to final stages is vague).
- Details: CERT-UA researchers identified affected computers in six regions and successfully prevented unauthorized registry modifications, stopping attacks in their final stages.
## Attack Methodology
- Initial Access: Phishing emails impersonating the Ministry of Justice.
- Persistence: Achieved via deployment of DarkCrystal malware (a commercial backdoor).
- Privilege Escalation: Not explicitly detailed, but required for registry access.
- Defense Evasion: Use of various utilities to bypass security controls.
- Credential Access: Use of utilities to intercept authentication data and steal credentials.
- Discovery: Network scanning utilities were employed.
- Lateral Movement: Implied through mapping and use of utilities, leading to potential spreading via compromised machines sending further phishing.
- Collection: Surveillance and information theft capabilities enabled by DarkCrystal.
- Exfiltration: Not explicitly detailed, but the goal was manipulation of registries.
- Impact: Unauthorized alteration of government registries.
## Impact Assessment
- Financial: Unknown, but the malware (DarkCrystal) is notably cheap ($6 for two months), suggesting a potentially low barrier to entry for the sponsoring entity.
- Data Breach: Compromise of systems accessing sensitive government registries; specific data type compromised is not detailed.
- Operational: Risk of service disruption to the Justice System/Registry operations.
- Reputational: Significant risk due to interference with official government processes.
## Indicators of Compromise
- Network indicators: (None provided, as URLs/IPs must be defanged.)
- File indicators: DarkCrystal malware.
- Behavioral indicators: Use of utilities for network scanning, authentication data interception, and launching subsequent phishing campaigns from compromised hosts.
## Response Actions
- Containment measures: Identification of affected computers across six regions.
- Eradication steps: Preventing unauthorized registry modifications.
- Recovery actions: Not explicitly detailed, but likely involved cleaning infected systems and resetting credentials.
## Lessons Learned
- Key takeaways: Commercial malware, even cheap variants like DarkCrystal, poses a significant threat when weaponized by sophisticated groups (UAC-0173). The reliance on human interaction via email is a persistent vulnerability in government services.
- What could have been done better: Proactive defense against phishing targeting critical infrastructure users (notaries) was somewhat reactive, relying on researchers identifying post-infection activity.
## Recommendations
- Implement rigorous multi-factor authentication (MFA) for all access points related to government registries.
- Conduct targeted security awareness training for notaries focusing specifically on identifying state-sponsored or Ministry of Justice-themed social engineering lures.
- Enhance network segmentation to isolate systems handling critical registry data from standard user workstations.
- Deploy advanced endpoint detection and response (EDR) solutions capable of detecting behavior associated with known commercial backdoors like DarkCrystal.