Cyber Incident Victim: Undisclosed government agency in Ukraine.

On or around April 18, 2023, Ukraine's computer emergency response team, CERT-UA, publicly disclosed the identification of a cyber-espionage campaign. This campaign had successfully targeted an undisclosed government agency within Ukraine. The threat actor responsible for this activity was identified by researchers under the tracking designation UAC-0063. While the initial detection of this specific incident occurred in April 2023, researchers had initially detected activity associated with this threat actor as far back as the year 2021. The origins of the UAC-0063 group remain unclear and were not attributed in the disclosure. The stated goal of its attacks, according to CERT-UA, is the gathering of intelligence.

The attack vector for this most recent campaign involved the use of a compromised email account. The hackers gained access to an email account belonging to the Embassy of Tajikistan in Ukraine. They then utilized this compromised diplomatic account to send a malicious email to the Ukrainian government agency. This method provided a layer of legitimacy to the communication, making it more likely to be trusted by the recipient. The content of the email was crafted as a deceptive invitation. It claimed to be an invitation to a supposed meeting with the embassy, masking its true malicious intent.

The actual purpose of the email was to infect the recipient's system with a suite of malicious programs. The CERT-UA team analyzed these tools and provided specific labels for them. One component deployed was identified as LOGPIE, which functions as a keylogger. This malware is designed to capture and log every keystroke made by the user on the compromised machine. This includes the theft of sensitive information such as passwords, usernames, personal messages, and any other data entered via the keyboard. The exfiltration of such data provides attackers with credentials and intelligence directly from the user.

A second malicious tool deployed in this campaign was labeled CHERRYSPY. This program acts as a backdoor on the compromised system. Its primary function is to execute Python code that it receives from a remote management server controlled by the attackers. This capability allows the threat actors to issue new commands post-infection, adapt their tactics, and maintain persistent access to the victim's environment. It provides a flexible tool for conducting further espionage activities directly on the network.

The third malware component used was identified as STILLARCH. This tool is used for reconnaissance and data theft within the compromised system. Its purpose is to find specific files of interest on the victim's machine and then exfiltrate them back to the attackers' command and control infrastructure. This allows UAC-0063 to systematically search for and steal documents and other intelligence materials that align with their espionage objectives.

To increase the sophistication of their attack and to hinder defensive efforts, the hackers employed additional software tools designed to protect their malicious code. They used PyArmor and Themida. These software tools are used to protect programs from reverse engineering, unauthorized access, and code theft. In the context of this cyberattack, their purpose was to obfuscate the malicious code, making it more difficult for security researchers and antivirus programs to analyze the malware, understand its functionality, and develop signatures for detection. This step was taken explicitly to make the attacks more difficult to investigate and attribute.

The scope of the threat actor's interests extended beyond the single Ukrainian government agency. According to the CERT-UA report, UAC-0063 “has also shown interest” in targeting other countries. These countries include Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. This indicates that the campaign was part of a broader espionage effort with a multi-national focus, though the specific incidents in these other countries were not detailed in the disclosure.

In response to the discovery of this campaign, CERT-UA provided specific technical advice aimed at minimizing the impact of attacks from this group. The recommended response actions focused on application restriction policies. Organizations were advised to restrict users’ execution of several specific Windows utilities and applications. These included the Windows utility "mshta.exe," as well as the Windows Script Host applications "wscript.exe" and "cscript.exe." Furthermore, the advisory recommended restricting the execution of the Python interpreter, which is central to the operation of the CHERRYSPY backdoor. These restrictions are designed to disrupt the execution chain used by the malware, thereby preventing infection or limiting its spread.

This incident was noted as one of several cyber-espionage campaigns being tracked by cybersecurity researchers that are aimed at Ukraine. For context, the disclosure referenced another campaign from February of the same year. In that earlier incident, analysts at Symantec reported that a separate group labeled as Nodaria or UAC-0056 was using malware known as Graphiron against targets in Ukraine. The existence of multiple simultaneous espionage campaigns highlights a persistent and ongoing threat environment targeting Ukrainian entities. The consequence of the UAC-0063 campaign was the potential compromise of sensitive information from a government agency, fulfilling the actor's intelligence-gathering objective. The use of a compromised diplomatic email account also represents a significant abuse of trust and demonstrates a tactic that could undermine diplomatic communications channels. The full extent of the data exfiltrated was not disclosed.