CERT-UA Reveals Large-Scale Cyber Attacks on Defense Enterprises: How Attackers Operate

The National Cyber Incident Response Team, CERT-UA, has identified and studied a new series of targeted cyber attacks on government agencies and defense industry enterprises.

According to the State Special Communications Service, the attacks are carried out by the group UAC-0099, which has significantly updated its tools and started using new malware. The attackers employ a multi-step attack chain aimed at data theft and gaining remote access to systems.

'The attack begins with the sending of phishing emails, which are often disguised as official documents, for example, 'court summons'. The emails contain links (sometimes shortened) to a legitimate file-sharing service. Following these links initiates the download of a ZIP archive that contains a malicious HTA file. This marks the beginning of a multi-step attack,' the specialists explained.

Executing the HTA file triggers a VBScript code. This script creates two files on the victim's computer: one with HEX-encoded data and the other with PowerShell code. To ensure the execution of this code, a scheduled task is created. The next step involves the PowerShell script decoding the data and forming it into an executable loader file named MATCHBOIL, which embeds itself in the system through its own scheduled task.

The primary targets of the group are Ukrainian government authorities, defense forces, and enterprises operating in the interests of the defense industry.

Ukrainian government authorities and defense industry enterprises have fallen victim to a new series of targeted cyber attacks using phishing and malware. The attacks carried out by the UAC-0099 group utilize new methods and tools for data theft and system control, posing serious threats to national cybersecurity.