The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a series of targeted cyber attacks against Ukrainian defense companies and security forces. The attacks are attributed to UAC-0185 (also known as UNC4221), a Russian-linked threat group operational since 2022.
The attackers deployed sophisticated phishing emails disguised as communications from the Ukrainian League of Industrialists and Entrepreneurs, promoting a fictitious conference in Kyiv about aligning defense industry products with NATO standards.
The attack chain begins when victims click a malicious URL, triggering a series of events:
– Downloads a Windows shortcut file
– Executes an HTML Application with JavaScript code
– Launches PowerShell commands for payload delivery
– Deploys MeshAgent binary for remote system control
The primary objectives of these attacks include:
– Credential theft from messaging platforms (Signal, Telegram, WhatsApp)
– Unauthorized access to military systems (DELTA, Teneta, Kropyva)
– Infiltration of defense company networks
According to Mandiant’s research, UNC4221 specializes in collecting battlefield intelligence through:
– Android malware deployment
– Phishing operations mimicking Ukrainian military applications
– Targeted attacks on popular messaging platforms
The campaign represents a significant threat to Ukraine’s defense infrastructure and military communications systems.