Cyber Incident Victim: Ssu Gov
Date:
Jun 2021
Location:
Ukraine
Summary
Ukrainian government entities and private sector organizations were targeted in a spear-phishing campaign attributed to Russian threat actors, involving emails impersonating law enforcement to deliver malicious RAR archives. The payload deployed a modified remote access tool establishing command-and-control connections to servers in multiple countries, enabling full system compromise for intelligence collection. This operation mirrored previous tactics observed in earlier attacks, including the use of compromised internal systems to distribute malware. The incident reflects a broader pattern of cyber operations combining phishing, distributed denial-of-service attacks, and exploitation of government infrastructure to infiltrate Ukrainian networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early June 2021, Ukrainian cybersecurity agencies identified a large-scale spear-phishing campaign targeting government entities and private sector organizations. The Ukrainian Secret Service, Cyber Police, and CERT Ukraine jointly issued alerts attributing the operation to Russian threat actors affiliated with the "special services of the Russian Federation." Attackers impersonated representatives of the Kyiv Patrol Police Department, sending fraudulent emails alleging unpaid local taxes to deceive recipients. These emails contained malicious RAR archives that, when decompressed, revealed executable files disguised as PDF documents through double extensions (filename.pdf.exe). Execution of these files installed a modified version of RemoteUtilities remote access software, establishing persistent connections to command-and-control servers in Russia, Germany, and the Netherlands. This granted attackers full remote control over compromised systems, enabling potential intelligence collection. The campaign represented the third publicly attributed Russian cyber operation against Ukraine that year, following similar incidents in January and March 2021 that employed comparable phishing tactics.
Ukrainian authorities responded by publishing technical indicators of compromise (IOCs) through official channels, including the Secret Service website and CERT Ukraine's Facebook page, urging organizations to scan networks for signs of infiltration. The agencies noted operational parallels to previous Russian cyber activities, including February 2021 DDoS attacks against government websites and the Gamaredon group's compromise of a government file-sharing system earlier that year. This incident continued a pattern of sustained cyber aggression dating to Russia's 2014 invasion of eastern Ukraine, which has included high-profile attacks like NotPetya, Bad Rabbit ransomware, and power grid disruptions alongside hundreds of smaller operations. While most attacks resembled this spear-phishing campaign—short-duration email operations seeking intelligence footholds—Russian actors have periodically diversified tactics between phishing, DDoS, and supply-chain compromises targeting Ukrainian infrastructure.