CyberSecurity news
FlagThis
Veronika Telychko@SOC Prime Blog
//
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of ongoing cyberattacks targeting Ukrainian state administration bodies and critical infrastructure. These attacks, attributed to the hacking group UAC-0219, have been ongoing since late 2024 and involve the use of the WRECKSTEEL PowerShell stealer to harvest data from infected computers. The attackers are distributing malware via phishing emails containing links to file-sharing platforms such as DropMeFiles and Google Drive, often disguised as research invitations or important documents like employee lists.
The multi-stage infection process begins with victims unknowingly downloading a VBScript loader from these links. Once executed, the loader deploys a PowerShell script that searches for and exfiltrates sensitive files, including documents, spreadsheets, presentations, and images. CERT-UA's analysis indicates that UAC-0219 has been refining its techniques over time. Indicators of compromise (IOCs) have been shared publicly to aid detection efforts, and CERT-UA urges organizations to remain vigilant and report any signs of compromise immediately.
ImgSrc: socprime.com
References :
The multi-stage infection process begins with victims unknowingly downloading a VBScript loader from these links. Once executed, the loader deploys a PowerShell script that searches for and exfiltrates sensitive files, including documents, spreadsheets, presentations, and images. CERT-UA's analysis indicates that UAC-0219 has been refining its techniques over time. Indicators of compromise (IOCs) have been shared publicly to aid detection efforts, and CERT-UA urges organizations to remain vigilant and report any signs of compromise immediately.
ImgSrc: socprime.com
Share:
References :
- Cyber Security News: UAC-0219 Hackers Use WRECKSTEEL PowerShell Stealer to Harvest Data from Infected Computers
- Cyber Security News: UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers
- SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL
- The Hacker News: Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- The Hacker News: The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate
- gbhackers.com: In a concerning development, CERT-UA, Ukraine’s Computer Emergency Response Team, has reported a series of cyberattacks attributed to the hacker group identified as UAC-0219. These attacks, which have been ongoing since the fall of 2024, utilize an advanced PowerShell-based malware tool named WRECKSTEEL to infiltrate computers and extract sensitive data.
- securityaffairs.com: Discussion of the UAC-0219 attacks against Ukrainian state entities and critical infrastructure.
- cert.europa.eu: CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data.
- Matthias Schulze: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- SOC Prime Blog: Gamaredon Campaign Detection: russia-backed APT Group Targets Ukraine Using LNK Files to Spread Remcos Backdoor
- www.scworld.com: Ukraine subjected to new cyberespionage campaign
Classification:
- HashTags: #CyberAttack #Ukraine #CyberEspionage
- Target: Ukrainian Government
- Attacker: UNC5221
- Feature: Cyber Espionage
- Malware: WRECKSTEEL
- Type: Espionage
- Severity: Major