Cyber Incident Victim: KP in Ukraine
Date:
Feb 2023
Location:
Ukraine
Summary
A phishing campaign targeted Ukrainian government agencies using emails disguised as payment reminders from a telecommunications provider, distributing malicious attachments containing Remcos surveillance software. The UAC-0050 threat actor, active since 2020 and previously linked to attacks involving Remote Utilities software, sought to deploy the remote access tool—marketed legitimately but weaponized here—to compromise systems. Successful installation would enable credential theft, remote control, and additional malware deployment, aligning with suspected espionage objectives against the government. The attack leveraged a large executable file hidden within an archive, though the operational success and specific agencies affected were not disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed a phishing campaign targeting Ukrainian government agencies involving the deployment of Remcos surveillance software. Attackers impersonating Ukrtelecom, a major Ukrainian internet service provider, sent fraudulent emails containing malicious attachments disguised as payment reminders for telecommunications services. The emails included archive files housing an executable exceeding 600MB in size, which installed the Remcos remote access tool upon execution. CERT-UA attributed this activity to a threat group designated UAC-0050, noting the group’s consistent targeting of Ukrainian government entities since 2020 and its historical use of Remote Utilities software in prior operations. While the specific agencies targeted were not disclosed, CERT-UA assessed the campaign’s likely objective as espionage, given the focus on governmental infrastructure. The agency did not confirm whether the attackers successfully compromised systems or exfiltrated data through this specific operation.
Remcos, developed by German firm Breaking Security, is marketed as a legitimate remote administration tool for Windows systems, offering features like remote control, credential harvesting, and additional malware deployment. Its commercial availability has led to frequent abuse by threat actors, who typically embed it within malicious archives disguised as invoices or financial documents. Historical examples include phishing campaigns distributing Remcos through Excel files masquerading as bank payment notifications, which exploited macros to bypass security warnings. In this incident, the large executable file size may have been intended to evade detection mechanisms. Successful installation would grant attackers persistent access to compromised systems, enabling surveillance, data theft, and potential lateral movement within networks. CERT-UA’s public alert served as the primary documented response, advising vigilance against the campaign but without detailing specific mitigation measures or technical indicators provided to affected entities. The incident underscored the ongoing blending of commercial software into cyberespionage operations against Ukrainian critical infrastructure.