### #PhishingThreats #UAC0185 #NATOImpersonation
Summary: A phishing campaign targeting Ukrainian defense companies has been uncovered, featuring fake invitations to a NATO standards conference, which ultimately aims to deploy malware on victims’ computers. The threat actor, UAC-0185, is known for stealing credentials and gaining unauthorized access to military systems.
Threat Actor: UAC-0185 | UAC-0185
Victim: Ukrainian defense companies | Ukrainian defense companies
Key Point :
- Phishing emails advertised a fake NATO standards conference in Kyiv on December 5.
- Victims who clicked on the malicious link downloaded malware that allowed remote access to their systems.
- UAC-0185 has been active since at least 2022, focusing on credential theft from messaging services and military systems.
- This attack represents a shift towards more targeted tactics rather than broad credential theft.
- CERT-UA previously warned of a similar phishing campaign that compromised over 100 Ukrainian government computers.
A series of phishing emails have been identified targeted Ukrainian defense companies and security and defense forces with a fake NATO standards conference.
The Computer Emergency Response Team of Ukraine (CERT-UA) detailed that these emailed advertised a conference held on December 5 in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards.
The emails contained a URL named “attachment contains important information for your participation”. Clicking the link and opening the attached files allowed hackers to infect the victim’s computer with malware.
CERT-UA identified the culprit of the phishing attack as UAC-0185, a group which has been active since at least 2022.
The focus of the group is to steal credentials from messaging services including Signal, Telegram and WhatsApp as well as military systems DELTA, Teneta, and Kropyva.
The Ukrainians identified that in this most recent attack, the group would eventually run remote management program MESHAGENT on the victim’s device.
This attack aimed at obtaining unauthorized remote access to employees’ computers from enterprises of the military-industrial complex. CERT-UA said this was a more limited tactic compared to the theft of credentials.
Earlier in 2024, CERT-UA warned of a phishing campaign which led to the compromise of more than 100 Ukrainian government computers.
In this instance, attackers impersonated the Security Service of Ukraine in the emails to tempt targets into clicking on a malicious link.
Source: https://www.infosecurity-magazine.com/news/phishing-scam-targets-ukrainian