In a recent surge of cyber-espionage activities, Ukraine’s scientific and research institutions have come under attack, with signs pointing to a group associated with the Kremlin, known as APT28. This group, also recognized by other aliases, has been linked to Russia’s military intelligence and is notorious for its sophisticated cyber operations.
The attacks, which took place earlier in July, were executed by a group identified as UAC-0063, utilizing malware strains such as Hatvibe and Cherryspy. These tools are not new to UAC-0063’s arsenal, as they were previously deployed in May during an espionage campaign against a Ukrainian government agency. The Cherryspy backdoor is particularly invasive, allowing remote execution of Python code, while Hatvibe has the capability to download and execute additional malicious files.
Researchers have connected UAC-0063 to APT28 with a moderate degree of certainty. Although the origins of UAC-0063 are shrouded in mystery, their activities were first observed in 2021. Beyond Ukraine, this group has exhibited interest in targeting several other countries across Asia and the Middle East.
In the most recent breach, the attackers compromised the email account of an employee at a Ukrainian scientific institution. They then disseminated a malicious document to a wide array of recipients, masquerading as a legitimate attachment in a previously sent letter.
Further analysis revealed that in June 2024, the Hatvibe backdoor was installed on numerous systems by exploiting a vulnerability in a web server application, indicating a diverse set of tactics for initial infiltration.
The reach of UAC-0063 extends beyond Ukraine, with potential attacks on Armenia’s defense ministry. APT28, meanwhile, has a history of high-profile cyber assaults, including last year’s hack of a major political party in Germany and recent espionage campaigns against government institutions in Poland and the Czech Republic.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
