Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

UAC-0020 (Vermin, SickSync) – Threat Actor

January 23, 2025
Reading Time: 5 mins read
in Threat Actors
UAC-0020 (Vermin, SickSync) – Threat Actor

UAC-0020

Other Names

Vermin, SickSync

Location

Russia

Date of initial activity

2019

Suspected Attribution 

State Sponsored Threat Group

Government Affiliation

Yes

Motivation

Cyberwarfare

Data Theft

Associated tools

SPECTR Malware, SyncThing

Software

Windows

Overview

UAC-0020, also known as Vermin, has emerged as one of the most persistent and dangerous cyber threat actors targeting Ukraine in recent years. Operating with a high level of sophistication, this group has been linked to numerous cyber espionage campaigns aimed at undermining Ukraine’s governmental and military institutions. Believed to be affiliated with the self-proclaimed Luhansk People’s Republic and likely operating under the direction of the Russian government, Vermin has played a significant role in Russia’s broader cyber warfare strategy against Ukraine. Their activities reflect a calculated effort to gather intelligence, disrupt critical infrastructure, and weaken Ukraine’s defensive capabilities through sustained cyber operations. Since their identification in 2019, Vermin has consistently demonstrated an ability to adapt and refine their tactics, techniques, and procedures (TTPs). Their operations are marked by the deployment of the SPECTR malware, a powerful tool that has been central to their campaigns. By combining SPECTR with legitimate software like the SyncThing utility, Vermin has been able to effectively conceal their malicious activities within seemingly benign network traffic, complicating detection efforts. This blending of malicious and legitimate tools showcases Vermin’s strategic ingenuity and underscores the challenges that cybersecurity professionals face in defending against their attacks. Common targets
Ukraine Public Administration

Attack vectors

Phishing

How they work

The Vermin hacking group, also known as UAC-0020, has been a persistent and formidable threat in the cyber warfare landscape, particularly against Ukraine. First identified in 2019, Vermin has consistently targeted Ukrainian government bodies, military organizations, and public sector entities, playing a significant role in Russia’s cyber offensive operations. The group is believed to be linked to the self-proclaimed Luhansk People’s Republic, operating under the direction of the Moscow government. Vermin’s operations are characterized by sophisticated malware campaigns, strategic use of legitimate software tools for malicious purposes, and a focus on intelligence gathering and data exfiltration. One of the most notable aspects of Vermin’s operations is their use of the SPECTR malware, a tool that has been a cornerstone of their toolkit since their early campaigns. SPECTR is a versatile and potent malware capable of conducting a wide range of malicious activities, from stealing files and credentials to capturing screenshots and executing additional payloads. Vermin has leveraged this malware in multiple spear-phishing campaigns, often targeting high-profile Ukrainian entities. These campaigns typically begin with a well-crafted phishing email containing a password-protected archive, which, when executed, deploys SPECTR alongside other legitimate software components to evade detection. In addition to SPECTR, Vermin has also utilized the SyncThing utility, a legitimate tool designed for peer-to-peer file synchronization, as part of their data exfiltration strategy. By integrating SyncThing with their malware, Vermin can establish a covert channel to siphon off sensitive data from compromised systems. This tactic not only allows the group to efficiently steal large volumes of data but also helps them remain under the radar by blending their activities with legitimate network traffic. The use of such dual-purpose tools highlights Vermin’s ability to adapt and evolve, making them a challenging adversary for cybersecurity defenders. The resurgence of Vermin in recent years, particularly with their SickSync campaign targeting the Armed Forces of Ukraine, underscores the ongoing threat posed by this group. Their operations are not just limited to data theft; they are part of a broader cyber warfare strategy aimed at weakening Ukraine’s defense and governance structures. The sophistication of Vermin’s techniques, combined with their strategic alignment with Russian state objectives, makes them a significant player in the geopolitical cyber conflict. As the cyber landscape continues to evolve, so too will the tactics and tools employed by Vermin, necessitating constant vigilance and advanced cybersecurity measures to counter their threats.

MITRE Tactics and Techniques

Initial Access: T1566.001 – Spearphishing Attachment: Vermin uses spear-phishing emails with malicious attachments to gain initial access to targeted systems. These emails often contain password-protected archives that deploy the SPECTR malware upon execution. Execution: T1204.002 – User Execution: Malicious File: The group relies on user interaction to execute malicious files, often disguised as legitimate documents or applications. T1059.005 – Command and Scripting Interpreter: Visual Basic: Vermin utilizes scripting, particularly Visual Basic, to automate tasks and execute additional payloads. T1059.001 – Command and Scripting Interpreter: PowerShell: In some campaigns, Vermin has been known to leverage PowerShell for script execution to achieve persistence or further exploit systems. Persistence: T1053.005 – Scheduled Task/Job: Scheduled Task: To maintain access to compromised systems, Vermin may create scheduled tasks that execute malware at regular intervals. Privilege Escalation: T1055 – Process Injection: Vermin employs techniques to inject malicious code into legitimate processes, which can help escalate privileges or evade detection. Defense Evasion: T1562.001 – Impair Defenses: Disable or Modify Tools: Vermin is known to modify or disable security tools and features to avoid detection. T1070.004 – Indicator Removal on Host: File Deletion: The group often deletes logs and other artifacts to cover their tracks on compromised systems. Credential Access: T1003 – OS Credential Dumping: Vermin uses tools and techniques to extract credentials from compromised systems, aiding in lateral movement or further exploitation. Discovery: T1083 – File and Directory Discovery: The group searches for files and directories of interest on the targeted system, particularly those containing sensitive information. Collection: T1005 – Data from Local System: Vermin collects data from the local system, including documents, credentials, and other sensitive information. T1119 – Automated Collection: They automate the collection process, particularly through tools like SPECTR that harvest information continuously. Exfiltration: T1020 – Automated Exfiltration: Vermin uses the SyncThing utility to exfiltrate collected data to their own systems, leveraging legitimate software for stealthy data transfer. T1048 – Exfiltration Over Alternative Protocol: They may also exfiltrate data using non-standard protocols to avoid detection by traditional security measures. Command and Control (C2): T1071 – Application Layer Protocol: Vermin uses standard application layer protocols, including HTTP/HTTPS, to communicate with their command and control servers.
References:
  • UAC-0020 aka Vermin Attack Detection: SickSync Campaign Using SPECTR Malware and SyncThing Utility to Target the Armed Forces of Ukraine
  • UAC-0020 (Vermin) attacks the Defense Forces of Ukraine using the SPECTR SPZ in tandem with the legitimate SyncThing (“SickSync” campaign) (CERT-UA#9934)
  • Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware
Tags: GovernmentPhishingRussiaSickSyncSPECTRThreat ActorsUAC-0020UkraineVermin
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial