Cyber Incident Victim: Ukrainian National Police
Date:
Jun 2021
Location:
Ukraine
Summary
Ukrainian authorities attributed a large-scale spear-phishing campaign to Russian threat actors targeting government and private sector entities. Attackers impersonated law enforcement officials, delivering emails with fraudulent tax warnings containing malicious RAR archives that deployed disguised RemoteUtilities software, enabling remote system control through servers in multiple countries. The operation aimed to establish persistent access for intelligence gathering, mirroring previous tactics observed in earlier campaigns. Beyond phishing, Russian-linked groups have historically employed diverse methods against Ukrainian infrastructure, including distributed denial-of-service attacks and compromising internal file-sharing systems to distribute malware across government networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early June 2021, Ukrainian cybersecurity agencies—including the Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine—issued warnings about a widespread spear-phishing campaign targeting government entities and private sector organizations. The operation, attributed by the Ukrainian Secret Service to the "special services of the Russian Federation," involved threat actors impersonating representatives of the Kyiv Patrol Police Department. Attackers sent emails falsely alleging recipients had failed to pay local taxes, urging them to download a malicious RAR archive attachment. When decompressed, the archive released an executable file disguised with a double extension (filename.pdf.exe) to mimic a PDF document. Executing this file installed a modified version of RemoteUtilities, a legitimate remote access tool, which connected to command-and-control servers in Russia, Germany, and the Netherlands. This granted attackers full remote control over compromised systems, enabling intelligence collection. Ukrainian authorities noted the campaign’s tactics mirrored previous Russian-linked operations in January and March 2021, marking the third publicly attributed cyberattack by Russian actors that year.
Ukrainian agencies responded by publishing indicators of compromise (IOCs) on the Ukrainian Secret Service’s website and CERT Ukraine’s Facebook page, urging organizations to scan networks for signs of infiltration. The incident reflected a sustained pattern of cyber operations against Ukraine since Russia’s 2014 invasion of eastern Ukraine, characterized by frequent spear-phishing campaigns aimed at establishing footholds for espionage. While such phishing efforts constituted the majority of attacks, Russian actors occasionally diversified tactics, as seen in February 2021 when Ukraine’s National Security and Defense Council reported Russian state hackers conducting DDoS attacks against government websites and compromising a government file-sharing system to distribute malicious documents internally. The June 2021 campaign underscored the persistent threat of Russian cyber operations focused on intelligence gathering through compromised endpoints.