A recent cyberattack is targeting Ukrainian efforts to recruit new soldiers to serve in its military against Russia, with Kremlin-backed threat actors launching a sophisticated campaign aimed at spreading malware and disinformation. Google’s Threat Intelligence Group (TAG) and Mandiant have identified the operation, dubbed UNC5812, which involves using a spoofed version of the legitimate Ukrainian-language tool “Civil Defense” to deceive potential recruits.
The attackers are enticing prospective soldiers through a Telegram channel to download the malicious version of “Civil Defense” from a fake website, avoiding detection on Google Play. Once downloaded, the application deploys Windows and Android malware, compromising the users’ devices with malicious software. Windows users are exposed to the Pronsis Loader, which then installs malicious applications like Sunspinner and Purestealer. On the other hand, Android users receive a backdoor called Craxsrat, along with Sunspinner.
The fake Civil Defense website employs social engineering tactics to allay suspicions about downloading APKs from unofficial sources, attributing it to protecting user anonymity and security. Additionally, the site instructs users on disabling Google Play Protect, further compromising their devices. The attackers also advertise macOS and iPhone support on the website, although only Windows and Android payloads were available at the time of analysis.
Furthermore, the attackers utilize a decoy graphical user interface (GUI) application named Sunspinner, created using the Flutter framework, to deceive victims into thinking the application is legitimate. Despite mimicking the legitimate Civil Defense website’s functions, Sunspinner only displays fake markers of Ukrainian military recruiter locations, sourced from the attacker’s command-and-control infrastructure.
In addition to spreading malware, the Russian threat actors behind the campaign aim to disseminate disinformation to undermine Ukraine’s military mobilization efforts. By promoting anti-Ukrainian-military narratives through videos and social media posts, the attackers seek to discourage potential recruits. The disinformation is cross-posted on various platforms, including the group’s website and Telegram channel, indicating a concerted effort to suppress recruitment.
The Russian cyber campaign against Ukraine aligns with its broader strategy of leveraging cyberattacks for geopolitical gain. In addition to targeting Ukraine, Russian threat actors have conducted cyber operations against other governments, such as launching distributed denial-of-service (DDoS) attacks on Japanese shipping ports. Moreover, they have engaged in distributing disinformation ahead of critical events like the US 2024 election.
While Sandworm is currently the most active threat group supporting Russian military activities in Ukraine, the “Civilian Defense” campaign underscores the involvement of multiple hacker groups in carrying out Russia’s cyber operations. These attacks highlight the evolving tactics and strategies of state-backed threat actors in cyberspace, posing significant challenges for defenders and governments worldwide.