Ukrainian soldiers’ apps increasingly targeted for spying, cyber agency warns

Summary: Hackers are targeting messaging apps used by the Ukrainian armed forces in an attempt to plant data-stealing malware, according to a report from CERT-UA.

Threat Actor: UAC-0184 | UAC-0184
Victim: Ukrainian armed forces | Ukrainian armed forces

Key Point :

  • Hackers identified as UAC-0184 are targeting Ukrainian armed forces’ messaging apps with data-stealing malware.
  • The group deploys custom and open-source malware, including HijackLoader and Remcos, to gain access to systems.
  • Other malware used by UAC-0184 includes ViottoKeylogger, XWorm, Tusc, and Sigtop.
  • To trick victims, hackers disguise malicious files as fake court documents, frontline videos, or archives.
  • CERT-UA warns soldiers to be cautious online as careless activity can make them priority targets for physical attacks.
  • It is unclear whether the cyber-espionage attempts were successful or the extent of the impact on Ukrainian military personnel.
  • Previous reports have highlighted Russian hackers targeting Ukraine’s military messaging apps.

Hackers are increasingly trying to plant data-stealing malware on messaging apps used by the Ukrainian armed forces, according to the latest report from the country’s computer emergency response team, CERT-UA.

The agency is attributing the surge to a group tracked as UAC-0184, which was spotted in February targeting an unnamed Ukrainian entity in Finland. CERT-UA does not attribute UAC-0184’s activity to any specific foreign cyberthreat group

CERT-UA urged soldiers to be careful when using apps, noting that “any careless online activity of a serviceman (for example, posting a photo in military uniform) makes it easier for attackers to identify priority targets” for physical attacks.

The agency didn’t disclose whether the cyber-espionage attempts were successful or how many Ukrainian military personnel were affected.

According to CERT-UA’s report, UAC-0184 deploys a variety of custom and open-source malware against Ukrainian targets, including HijackLoader, to gain access to a system. A favorite tool is Remcos — legitimate remote-access software that can be abused by malicious hackers.   

Other malware used by UAC-0184 over the past year, according to CERT-UA, includes ViottoKeylogger, XWorm, Tusc and Sigtop. The latter is used by hackers to export messages, attachments, and other data from the Signal app for desktop.

To trick victims into opening malicious files, hackers disguise them as fake court documents, videos from the frontlines or archives.

Before the war, Ukraine considered creating its own secure app for the military, similar to Threema in Switzerland. However, most Ukrainian soldiers are still using popular services like Telegram, Signal, Viber and WhatsApp. 

Researchers have previously warned about cyberattacks carried out by Russian hackers targeting Ukraine’s military messaging apps. In a report released this week, Google-owned Mandiant said that Russia-backed Sandworm hackers established an infrastructure allowing Russian military forces to exfiltrate encrypted Telegram and Signal communications from mobile devices captured on the battlefield.

Last July, CERT-UA discovered a campaign by the Russian hacking group Turla, which targeted Ukrainian defense forces with spying malware. The threat actor’s goal was to exfiltrate files containing messages from Signal, allowing the actor to read private conversations, as well as access documents, images, and archive files on targeted systems.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Source: https://therecord.media/ukraine-military-personnel-cyber-espionage-uac-0184


“An interesting youtube video that may be related to the article above”