UAC-0050 Attack Detection: russia-Backed APT Performs Cyber Espionage, Financial Crimes, and Disinformation Operations Against Ukraine

[post-views]
October 16, 2024 · 4 min read
UAC-0050 Attack Detection: russia-Backed APT Performs Cyber Espionage, Financial Crimes, and Disinformation Operations Against Ukraine

The UAC-0050 hacking collective notorious for its long-standing offensive operations against Ukraine steps back into the cyber threat arena. CERT-UA researchers have long been investigating the group’s activity, which primarily focuses on three key directions, including cyber espionage and financial theft, along with information and psychological operations tracked under the “Fire Cells Group” brand. Financially motivated cyber crimes, which have been recently observed, are also affiliated with the UAC-0006 hacking group.

Detect UAC-0050 Offensive Operations 

As cyber-attacks by russia-affiliated hacking collectives against Ukrainian entities become more frequent and sophisticated, organizations need reliable detection resources to proactively defend against potential intrusions. The growing threats attributed to UAC-0050 and in collaboration with UAC-0006 primarily centered on cyber espionage, financial gain, and other cyber offensive activities against Ukraine also require increased vigilance and ultra-responsiveness from defenders. SOC Prime Platform for collective cyber defense equips security teams with the entire detection stack to proactively thwart cyber attacks covered in the related CERT-UA research.

Click the Explore Detections button below to reach the dedicated collection of Sigma rules mapped to the MITRE ATT&CK® framework, enriched with tailored intelligence, and convertible to 30+ SIEM, EDR, and Data Lake language formats. 

Explore Detections

Security engineers can also reach more detection content from SOC Prime Platform to thwart cyber attacks linked to the above-mentioned adversary activity by using relevant “UAC-0050” and “UAC-0006” tags. 

In addition, cyber defenders can rely on Uncoder AI to instantly hunt for file, network, or host IOCs related to the UAC-0050 and UAC-0006 activity provided in the corresponding CERT-UA alert. Paste IOCs to Uncoder AI and automatically convert them into custom performance-optimized hunting queries ready to run in your SIEM or EDR environment.

Use Uncoder AI to search for IOCs related to UAC-0050 activity based on CERT-UA research

UAC-0050 Attack Analysis Linked to the “Fire Cells Group” Branding

UAC-0050 is a russia-linked hacking group active since 2020, primarily targeting Ukrainian state bodies. They have been using phishing campaigns to distribute Remcos RAT malware, often posing as the Security Service of Ukraine and sending emails with malicious attachments. In addition to Remcos RAT, the group has been leveraging Quasar RAT and Remote Utilities in their campaigns against Ukraine and its allies. 

CERT-UA has recently issued new research observing UAC-0050 offensive operations, mainly focused on cyber espionage, financially-motivated threats, and the group’s cyber activity known under the “Fire Cells Group” brand. Throughout September and October 2024, UAC-0050 attempted at least 30 cases of unauthorized access to accountants’ computers, using REMCOS/TEKTONITRMS software to steal funds from Ukrainian companies and individual entrepreneurs. These attacks involved creating or falsifying financial transactions through remote banking systems. The timeframe for thefts ranged from several days to just a few hours after the initial compromise. UAC-0050 and another hacking collective tracked as UAC-0006, which has been active since 2013, are primarily involved in these thefts. In most cases, the stolen funds are converted into cryptocurrency. The UAC-0006 group has been notorious for operations motivated by financial gain, displaying common behavior patterns like accessing remote banking services, stealing authentication credentials, and executing unauthorized payments.

The ability to finance their own criminal operations enables UAC-0050 and UAC-0006 hackers to intensify cyber-attacks and purchase various tools, including licensed software, to carry out further threats. This explains their use of a wide range of programs, such as REMCOS, TEKTONITRMS, MEDUZASTEALER, LUMMASTEALER, XENORAT, SECTOPRAT, MARSSTEALER, and DARKTRACKRAT, among others.

Additionally, it has been identified that information and psychological operations carried out under the “Fire Cells Group” brand, such as false bomb threats, contract killings, or threats to property, are also part of UAC-0050’s activity.

To mitigate UAC-0050 attacks, financial institution clients are advised to implement technical methods to verify payment actions, including using additional authentication through a mobile app. For accountants using remote banking systems, CERT-UA recommends refraining from financial transactions until additional payment authentication is enabled, ensuring software restriction policies, like SRP/AppLocker, are enabled, and using protective software. To help organizations timely thwart cyber-espionage operations, financially driven threats, and other attacks of any sophistication, SOC Prime curates a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, ensuring proactive defense. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK gains detailed insight into the context of the most offensive operations associated with UAC-0050 and covered in the recent CERT-UA report. Refer to the table below to view the comprehensive set of dedicated Sigma rules addressing the corresponding ATT&CK tactics, techniques, and sub-techniques.

Tactics 

Techniques

Sigma Rule

Initial Access

Phishing: Spearphishing Attachment

(T1566.001)

Execution

Exploitation for Client Execution (T1203)

User Execution: Malicious Link (T1204.001)

User Execution: Malicious File (T1204.002)

Command and Scripting Interpreter: PowerShell (T1059.001)

Command and Scripting Interpreter: Windows Command Shell

(T1059.003)

Command and Scripting Interpreter: Visual Basic (T1059.005)

Persistence

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)

Defense Evasion

Deobfuscate/Decode Files or Information (T1140)

Hide Artifacts: Hidden Window (T1564.003)

Lateral Movement 

Remote Services: SMB/Windows Admin Shares (T1021.002)

Command and Control 

Ingress Tool Transfer (T1105)

Remote Access Software (T1219)

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts