UAC-0212 Attack Detection: Hackers Linked to UAC-0002 aka Sandworm APT Subcluster Launch Targeted Attacks Against the Ukrainian Critical Infrastructure 

In Q1 2024, defenders uncovered destructive cyberattacks against the information and communication technology systems (ICT) of approximately 20 organizations in the critical infrastructure sector across 10 regions of Ukraine. CERT-UA has been observing this activity tracked as a separate threat cluster, UAC-0133, which, with a high level of confidence, is linked to a nefarious russia-afiliated state-sponsored UAC-0002 cyber-espionage group also known as Sandworm or APT44. 

Detect UAC-0212 Attacks Linked to Sandworm APT Subcluster

The increasing surge of offensive campaigns targeting Ukraine and its allies continues to shape the evolving cyber threat landscape, with russian state-backed hackers frequently using Ukraine as a testing ground to refine their tactics before launching them on a global level. 

SOC Prime Platform for collective cyber defense equips security professionals with a set of curated detection algorithms to proactively withstand UAC-0212 aka Sandworm or APT44 attacks against the critical infrastructure of Ukraine and potentially posing threats to organizations in other countries as per the latest CERT-UA#13702 alert. Click the Explore Detections button to drill down to the lists of relevant Sigma rules, enriched with actionable CTI and comprehensive metadata, including attack timelines, false-positive rates, and audit configuration suggestions. All detections are also fully compatible with top-tier SIEM, EDR, and Data Lake technologies to facilitate cross-platform threat detection.

Explore Detections

For more detection content against related malicious activity associated with the notorious russia-linked cyber-espionage collective known under diverse monikers and identifiers, apply the following tags (“UAC-0002,” “UAC-0133,” “Sandworm,” “APT44,” or “Seashell Blizzard”) to streamline your search across SOC Prime Platform.

Organizations can also minimize the risks of intrusions by hunting for related UAC-0212 threats with performance-optimized queries convertible from the relevant IOCs from the latest CERT-UA alert via Uncoder AI. 

UAC-0212 Attack Analysis: Activity Linked to Sandworm APT 

On February 23, 2025, on the brink of third year anniversary of russia’s full-scale invasion of Ukraine, CERT-UA researchers issued a new alert CERT-UA#13702 warning cyber defenders of the escalating risks of intrusions linked to the UAC-0212 group. According to the investigation, in early 2024, adversaries were planning to launch destructive cyber-attacks against the information and communication technology systems of roughly 20 Ukrainian organizations in the energy, water, and heat supply sectors across multiple regions. To track this activity, researchers identified a dedicated threat cluster, UAC-0133, which is highly likely linked to russia’s notorious GRU-affiliated hacking collective known as (Sandworm, APT44, UAC-0002, or Seashell Blizzard). In mid-spring 2024, CERT-UA issued the corresponding alert uncovering the evidence of a planned cyber-sabotage aimed at disrupting the ICT systems of critical infrastructure organizations across Ukraine. 

Since the second half of 2024, adversaries have been experimenting with a different set of TTPs, including PDF documents containing links sent to victims. Clicking the link, combined with the exploitation of CVE-2024-38213, triggered the download of an LNK file (with a “pdf.lnk” extension) onto the compromised system. Executing the file ran a PowerShell command, which not only downloaded and displayed a decoy document but also fetched, ensured persistence (via the Run registry key), and executed EXE/DLL files.

Among the offensive tools, the UAC-0212 group takes advantage of SECONDBEST / EMPIREPAST, SPARK malware, and CROOKBAG, a GoLang-based loader. Additionally, in several cases, attackers employed RSYNC to enable prolonged document exfiltration.

Based on the analysis of multiple interlinked campaigns conducted between mid-summer 2024 and February 2025, the Sandworm APT subcluster expanded its activity beyond Ukraine. For instance, adversaries launched targeted attacks against supplier companies in Serbia and Czechia, with a broader geographical scope overall. Notably, in August 2024 alone, UAC-0212 compromised at least one dozen Ukrainian logistics companies. Between January 2025 and February 20, 2025, adversaries conducted malicious operations against Ukrainian companies specializing in the design and manufacture of equipment for drying, transporting, and storing grain, along with offensive campaigns against 25+ Ukrainian enterprises engaged in the development of automated process control systems and electrical installation services.

At the initial attack stage, adversaries impersonate potential clients, engage in email correspondence with the victim, and strive to persuade them to open a malicious PDF file disguised as “technical documentation.” This activity tracked as UAC-0212, which is considered a subcluster of UAC-0002, indicates a clear intent to infiltrate the service providers’ networks. The ultimate objective is to leverage the acquired data to compromise the ICT systems of critical infrastructure and essential service enterprises.

Defenders notify organizations of the complex risks behind the group’s intrusions since, within just a few hours of the initial compromise, attackers move laterally across the network and establish persistence on vulnerable servers, active network equipment, or users’ automated workstations.

MITRE ATT&CK® Context

Leveraging MITRE ATT&CK provides granular visibility into the context of offensive operations attributed to UAC-0212. Explore the table below to see the full list of dedicated Sigma rules addressing the corresponding ATT&CK tactics, techniques, and sub-techniques.