Key Issue: Suspected Russian threat actors target Ukrainian military application
Cybercriminals: New developments in illicit revenue generating operations
Nation-State: Gamaredon and TA453 adapt TTPs to support intelligence requirements

Suspected Russian threat actors target Ukrainian military application

This week we reported on an information-stealing campaign targeting Ukrainian defence forces that was attributed to UAC-0142 after researchers were unable to connect the operations to any known threat actors. The campaign targets users of the DELTA system, a Ukrainian military situational awareness application used to track the movements and composition of enemy forces in real-time.

The adversaries were observed distributing phishing messages via compromised Ukrainian email accounts in an attempt to lure users into opening a PDF that contains a link to download a malicious zip archive. An executable within the archive compromises the victim’s device via the creation of several Dynamic Link Libraries which run in the background and deploy the FateGrab and StealDeal information-stealing malware, enabling the perpetrators to access and exfiltrate a wide variety of files, browser history, and passwords.

Ukrainian entities have been regularly targeted with information-stealing malware such as DolphinCape and JesterStealer since the onset of conflict in February
2022, however, this is the first instance in which military software has been specifically targeted. We assess that the campaign is very likely to be an intelligence-collecting effort of Russian origin, aimed at gathering intelligence that can be used to assist Russian forces in the physical domain. We anticipate that Russian intelligence-related targeting is very likely to continue within Ukraine and possibly expand to allied countries if the conflict continues to progress in Ukraine’s favour.

Subscribe below to receive the full version.