UAC-0099 Activity Detection: Hackers Conduct Cyber-Espionage Operations Against Ukrainian State Bodies and Media Organizations
Table of contents:
Just a couple of weeks ago, CERT-UA raised awareness among the global cyber defender community about an ongoing cyber-espionage campaign targeting Ukraine and organizations in Central Asia linked to the UAC-0063 group.
In early June, CERT-UA researchers issued another alert covering the long-term cyber-espionage activity mainly exploiting the email attack vector and targeting Ukrainian government bodies and editing agencies aimed at intelligence gathering. The hacking collective behind these cyber attacks identified as UAC-0099 has been performing targeted cyber-espionage operations against Ukraine since the second half of 2022.
UAC-0099 Cyber-Espionage Activity Analysis
The latest CERT-UA#6710 alert covers the ongoing malicious activity attributed to the UAC-0099 hacking group targeting the Ukrainian government and media agencies. Throughout the period of 2022—2023, threat actors have gained unauthorized remote access to dozens of computers related to the Ukrainian organizations attempting to gather intelligence from the compromised systems.
According to the researchers, threat actors massively distribute the malicious link, executable, archive, and HTML-document files via email and messengers, which, once launched, can infect the targeted systems with the LONEPAGE malware. The latter is PowerShell-based malware that commonly applies JavaScript or VBScript code to download the “upgrade.txt” file from the remote server and later execute malicious PowerShell commands to compromise the system and submit the stolen data to the server via an HTTP POST request.
In addition, adversaries can download other malicious strains on the affected environment, such as THUMBCHOP information stealer for Chrome and Opera browsers, a CLOGFLAG keylogger, along with TOR and SSH software to create a covert service for remote access to the compromised computer. Also, at the incident response stage, CERT-UA researchers uncovered other GO-based malware samples, such as SEAGLOW and OVERJAM.
Based on the investigation, UAC-0099 hackers were also observed moving laterally from the compromised environment while scanning the local computing network, compromising privileged accounts, and gaining access to the corporate information systems.
To help organizations remediate the threat, cyber defenders recommend restricting the ability to run certain legitimate components on the users’ workstations, including wscript.exe, cscript.exe, powershell.exe, mshta.exe, which can be exploited by adversaries.
Detecting UAC-0099 Cyberespionage Campaign Covered in CERT-UA#6710 Alert
To assist organizations in detecting potentially malicious activity associated with UAC-0099 cyber-espionage activity, SOC Prime Platform for collective cyber defense offers a broad collection of relevant Sigma rules. To streamline the content search, security professionals can filter detections using corresponding custom tags “CERT-UA#6710” and ”UAC-0099” based on the CERT-UA alert and group identifier.
Hit the Explore Detections button below to reach the full list of dedicated Sigma rules detecting the latest UAC-0099 campaign. All rules are aligned with the MITRE ATT&CK® framework v12, enriched with in-depth cyber threat context, and compatible with 28+ SIEM, EDR, and XDR solutions to fit particular security needs.
SOC teams can boost their threat hunting velocity by searching for indicators of compromise associated with the UAC-0099 cyber-espionage activity with the help of Uncoder AI. Just paste the file, host, or network IOCs provided by CERT-UA into the tool and select the content type of your target query to instantly create performance-optimized IOC queries ready to run in the chosen environment.
MITRE ATT&CK Context
To review a broader context behind the latest UAC-0099 cyber-espionage attacks covered in the CERT-UA#6710 alert, all related Sigma rules are tagged with ATT&CK v12 addressing the relevant tactics and techniques:
Tactics Techniques Sigma Rule Initial Access Phishing (T1566) Defense Evasion System Script Proxy Execution (T1216) Hide Artifacts (T1564) Masquerading (T1036) System Binary Proxy Execution (T1218) Execution Command and Scripting Interpreter (T1059) Scheduled Task/Job (T1053) Discovery System Information Discovery (T1082) System Network Configuration Discovery (T1016) Persistence Boot or Logon Autostart Execution (T1547) Command and Control Ingress Tool Transfer (T1105)