New Cyberattack Campaign Targets Ukraine's Defence Sector

Ever since Russia deployed its large-scale invasion of Ukraine, numerous hacking groups have increasingly focused on defense entities through phishing attacks. Researchers with the Computer Emergency Team of Ukraine (CERT-UA) recently reported the discovery of a series of new attacks by the threat actor entity UAC-0185 (also known as UNC4221).

This group has targeted Ukrainian organizations in the defense-industrial sector. The latest CERT-UA alert details cyberattacks involving email spoofing, where the attacker impersonates the Ukrainian Union of Industrialists and Entrepreneurs (UUIE) as the sender.

While CERT did not go into too much detail about UNC4221, Earlier this year, a cybersecurity firm, however, associated the group with the Russian government.

A breakdown of the attacks

The attackers forged their emails to make them seem as if they were sent by the Ukrainian League of Industrialists and Entrepreneurs, a legitimate organization, as reported by the country’s cyber defense authorities.

The State Service for Special Communications and Information Protection (SSSCIP) stated that the emails advertised a conference set for December 5th in Kyiv, aimed at aligning Ukraine's domestic defense industry products with NATO standards.

Authorities reported that the emails contained a malicious link labeled "Attachment contains important information for your participation." When the victims clicked the link and opened the attached files, their computers were infected with malware, which gave the attackers backdoor access to sensitive information.

CERT-UA, operating under the SSSCIP, identified the attack and linked it to the UAC-0185 group, which has been active since 2022, the year Russia launched its full-scale invasion of Ukraine. Authorities reported that the group carried other cyberattacks, aimed at exploiting remote associated with defense industry networks, including members of Ukraine's armed forces.

Previously, the group's main focus was on stealing credentials from messaging platforms like Signal, Telegram, and WhatsApp, alongside targeting military systems such as DELTA, Teneta, and Kropyva.

Phishing attacks exploit human carelessness

Phishing attacks have existed since the 1990s and are among the most prolific cyberattacks to date, simply because of how easy it is for attackers to get their hands on phishing kits or write their own. It is not necessarily a sophisticated attack vector but depends mostly on the carelessness of everyday users who click on links from untrusted sources or emails outside their network.

Always remember to verify the sender by inspecting the email address, and the domain it's associated with. If you are unsure, it's important to examine the email header to verify the server the email was sent from. By practicing good security hygiene, attacks like these will fail to land, no matter how authentic they may appear at first glance.