Menu
Browse

Cyber Threat Actor: Industrial Spy

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
China
6 incidents
Profile

Industrial Spy,also tracked as UAC-0063, is a threat actor whose known aliases include Industrial Spy and UAC-0063 and whose activity has been linked to operators based in China. The group pursues both espionage and financial goals, conducting intelligence‑gathering operations against government targets while also deploying ransomware and selling stolen data on a Tor‑based extortion marketplace. Its victims span multiple sectors, including government agencies, technology transfer organizations, pharmaceutical companies, and third‑party suppliers that support critical infrastructure such as energy providers. Geographic focus has been observed in Eastern Europe, particularly Ukraine, as well as interests noted in Israel, India, Kazakhstan, Kyrgyzstan and Mongolia, with additional activity reported in France and Italy.

Initial access frequently involves compromised trusted accounts, exemplified by the use of a hijacked Embassy of Tajikistan email address to deliver malicious messages to a Ukrainian government entity. Once inside, the actor employs a suite of custom malware that includes LOGPIE, a keylogger capturing keystrokes; CHERRYSPY, a backdoor that executes Python code received from a command‑and‑control server; and STILLARCH, a tool designed to locate and exfiltrate files. In financially motivated intrusions the group deploys ransomware to encrypt victim systems and simultaneously threatens to auction the stolen data on its Tor marketplace unless a payment is made. To hinder analysis, the actor protects its binaries with obfuscation tools such as PyArmor and Themida, which guard against reverse engineering and unauthorized modification. Public website defacement has also been used as a pressure tactic, where the gang alters a victim’s corporate site to display a ransom note and announce the data theft.

In April 2023 the actor conducted a cyber‑espionage campaign against an undisclosed Ukrainian government agency, delivering LOGPIE, CHERRYSPY and STILLARCH via the compromised Tajikistan embassy email and demonstrating continued interest in targets across Israel, India, Kazakhstan, Kyrgyzstan and Mongolia. June 2022 saw a ransomware operation against the French technology transfer organization SATT Sud-Est, during which 200 GB of data were exfiltrated, ransomware was deployed, and the victim’s public website was defaced to show a ransom note threatening to sell the data for $500 000. Earlier in 2022 the group targeted the Italian supplier Network Contacts SpA, a third‑party provider to Enel, resulting in the theft of personal data including names, tax identifiers, addresses and contact information. February 2022 featured an attempted data‑extortion incident involving Novartis, where the actor offered 7.7 MB of allegedly stolen RNA and DNA‑related documents on its Tor marketplace, although the company asserted that no sensitive data had been compromised.

Incidents
Attributed incidents available to members
6 incidents
Sources
Sources available to members
4 sources