Full Report
The nefarious nation-backed russian hacking collective known as UAC-0001 (aka APT28) reemerges in the cybersecurity spotlight. Over a year ago, in the spring of 2024, the CERT-UA team was investigating an incident targeting state executive bodies and identified a Windows-based server. In May 2025, ESET shared timely intelligence indicating unauthorized access to an email account […] The post UAC-0001 (APT28) Activity Detection: The russian State-Sponsored Group Targets Government Agencies Using BEARDSHELL and COVENANT Malware appeared first on SOC Prime.
Analysis Summary
# Threat Actor: UAC-0001 (APT28)
## Attribution & Identity
**Attribution:** Russian State-Sponsored Group.
**Aliases/Associations:** APT28, Fancy Bear.
## Activity Summary
The group is engaged in cyber activities targeting Ukrainian government entities, with observations suggesting an extension of their operational reach beyond Ukraine. The reported activity involves the use of specific malware families: BEARDSHELL and COVENANT.
## Tactics, Techniques & Procedures
- Uses BEARDSHELL malware.
- Uses COVENANT malware.
- Abuses trusted cloud services for Command and Control (C2) communication.
*(Note: Specific MITRE ATT&CK IDs were not explicitly listed in the provided text snippet, only that the context is mapped to the ATT&CK framework.)*
## Targeting
- **Sectors:** Government Agencies.
- **Geography:** Ukraine (primary mention), extending reach beyond Ukraine.
- **Victims:** Ukrainian government entities.
## Tools & Infrastructure
- **Malware families used:** BEARDSHELL, COVENANT.
- **Infrastructure:** Abused trusted services for C2 communication, specifically: `app.koofr[.]net` and `api.icedrive[.]net`. (URLs defanged).
## Implications
UAC-0001 (APT28) remains an active, persistent threat linked to Russian state interests, capable of targeting critical government infrastructure. Their use of legitimate cloud services for C2 complicates network defense and detection efforts.
## Mitigations
- Elevate defenses across a broader operational landscape, especially concerning Ukrainian government entities.
- Implement detection mechanisms specifically targeting the use of COVENANT and BEARDSHELL malware.
- Monitor for C2 communication patterns that abuse trusted services like Koofr and Icedrive endpoints.