Ukraine has been facing a series of cyberattacks targeting government bodies and critical infrastructure, according to a report from the country’s Computer Emergency Response Team (CERT-UA). The attacks, attributed to a group known as UAC-0219, aimed at stealing sensitive data through phishing tactics. These attacks involved sending phishing emails containing links to legitimate file-sharing services like DropMeFiles and Google Drive, which ultimately led to the download of malicious scripts that harvested various types of files and captured screenshots from infected systems.
The cyberattacks were carried out using compromised email accounts and involved social engineering tactics to create a sense of urgency. One tactic involved falsely claiming that a Ukrainian government agency would be cutting salaries and providing a link to a list of affected employees. Clicking on this link would result in the download of a Visual Basic Script (VBS) loader and a PowerShell script designed to collect files and capture screenshots. CERT-UA has labeled this malicious payload as “Wrecksteel.”
This attack campaign, which has been active since fall 2024, has evolved from previous versions that utilized EXE binaries and image editing software like IrfanView for exploitation. While the origin of the malware campaign has not been directly attributed to any specific country, it bears similarities to the tactics used by Russian-linked cyber threat groups. This latest wave of cyberattacks follows a pattern seen in previous espionage campaigns targeting Ukraine’s government and critical infrastructure.
Aside from the UAC-0219 attacks, other Russian-backed cyber groups like Gamaredon have also been actively targeting Ukraine’s defense and infrastructure. These groups utilize various malware families such as sLoad and Remcos RAT, focusing on both espionage and financially motivated attacks. The ongoing conflict between Ukraine and Russia has made Ukraine’s critical infrastructure a prime target for cyberattacks, including a recent incident involving the Ukrainian railway system, which was labeled as an “act of terrorism.”
As Ukraine continues to navigate these cyber threats, CERT-UA and other cybersecurity experts are working diligently to strengthen the country’s defenses and mitigate the risks posed by these malicious actors. The evolving nature of these cyberattacks underscores the importance of maintaining vigilance and enhancing cybersecurity measures to safeguard critical systems and data from potential threats.