Ukraine’s Computer Emergency Response Team (CERT-UA) has reported at least three cyberattacks targeting government bodies and critical infrastructure. These attacks, linked to a group named UAC-0219, aimed to steal sensitive data using phishing tactics. The phishing emails contained links to legitimate file-sharing services like DropMeFiles and Google Drive, which led to the download of malicious scripts. Once executed, the scripts harvested text documents, PDFs, images, and captured screenshots from infected systems.
The cyberattacks were launched through compromised email accounts, and the attackers used social engineering tactics to induce urgency. One such tactic falsely claimed that a Ukrainian government agency would cut salaries and provided a link to a list of affected employees. This link led to the download of a Visual Basic Script (VBS) loader and a PowerShell script designed to collect files and capture screenshots. CERT-UA has dubbed the malicious payload “Wrecksteel.”
The attack campaign, active since fall 2024, evolved from earlier versions that used EXE binaries and image editor software, such as IrfanView, for exploitation. The malware campaign was not directly attributed to any country, but it is consistent with the tactics of Russian-linked cyber threat groups. It follows a pattern observed in previous espionage campaigns targeting Ukraine’s government and critical infrastructure.
In addition to these attacks, other Russian-backed cyber groups, such as Gamaredon, have continued their efforts against Ukraine’s defense and infrastructure. These campaigns employ various malware families, including sLoad and Remcos RAT, which focus on espionage and financially motivated attacks. Ukraine’s ongoing conflict with Russia has made its critical infrastructure a prominent target for such cyberattacks, including a recent attack on the Ukrainian railway system, which was described as an “act of terrorism.”
