Cyber Incident Victim: Ukrainian DELTA situational awareness program
Date:
Dec 2022
Location:
Ukraine
Summary
A compromised Ukrainian Ministry of Defense email account distributed phishing messages to users of the DELTA situational awareness system, masquerading as certificate update warnings containing malicious links. The campaign delivered a ZIP archive with an executable that deployed two obfuscated malware components: one stealing documents and emails via FTP, and another harvesting credentials and browsing data. The information-stealing operation targeted military personnel using the real-time intelligence platform, leveraging VMProtect to evade detection, though the threat actors remained unattributed by Ukraine's CERT.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around December 16, 2022, Ukraine's Computer Emergency Response Team (CERT-UA) documented a cyberattack targeting users of the DELTA military situational awareness program. Attackers compromised a Ukrainian Ministry of Defense email account to distribute phishing emails and instant messages containing malicious links. These messages impersonated legitimate certificate update notifications, directing recipients to a PDF document with instructions to download a file named "certificates_rootCA.zip." Upon extraction, victims executed "certificates_rootCA.exe," which deployed two obfuscated malicious DLLs: "FileInfo.dll" and "procsys.dll." The former, identified as 'FateGrab,' functioned as an FTP-based stealer targeting documents and email data, while the latter, 'StealDeal,' harvested browsing histories, saved passwords, and other sensitive system information. Both components utilized VMProtect obfuscation to hinder detection and analysis. The campaign specifically sought to compromise systems used by military personnel interacting with DELTA, a critical real-time intelligence platform integrating battlefield data onto digital maps for operational coordination.
DELTA, developed by Ukraine with allied support, aggregates multi-source intelligence for tactical decision-making across desktop and mobile devices. The phishing scheme exploited routine maintenance procedures—certificate updates—to legitimize its lures. CERT-UA's investigation confirmed the malware's information-stealing objectives but could not attribute the attack to a known threat actor. The incident exposed credentials, operational documents, and communications data from compromised DELTA-user systems, potentially undermining situational awareness capabilities during active conflict. No remediation actions by Ukrainian authorities were detailed in the report beyond the public disclosure and advisory to military personnel regarding the phishing campaign. The use of compromised official channels increased the attack's perceived legitimacy, amplifying risks to targeted users.