Cyber Incident Victim: Computer Emergency Response Team of Ukraine
Date:
Jun 2021
Location:
Ukraine
Summary
Ukrainian cybersecurity agencies warned of a massive Russian-linked spear-phishing campaign targeting government and private entities, with attackers posing as law enforcement to deliver tax-themed emails containing malicious RAR archives. These archives deployed a disguised executable installing modified RemoteUtilities software, enabling foreign intelligence services to gain full remote control over compromised systems through command servers in Russia, Germany, and the Netherlands. Officials urged network scans using published indicators of compromise and noted similarities to earlier campaigns, while also highlighting Russia's broader pattern of cyber aggression—including DDoS attacks and breaches of government file-sharing systems to distribute malicious documents internally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early June 2021, Ukrainian cybersecurity agencies—including the Ukrainian Secret Service (SBU), Cyber Police, and CERT Ukraine—issued warnings about a large-scale spear-phishing campaign targeting government entities and private organizations. The operation involved threat actors impersonating representatives of the Kyiv Patrol Police Department, sending emails alleging recipients had failed to pay local taxes. These emails contained a RAR archive attachment that, when decompressed, released an executable file (filename.pdf.exe) disguised as a PDF document. Execution of this file deployed a modified version of RemoteUtilities, a legitimate remote access tool, which established connections to command-and-control servers in Russia, Germany, and the Netherlands. The SBU attributed the campaign to Russian state actors, specifically identifying involvement by "special services of the Russian Federation," marking the third publicly attributed Russian cyber operation against Ukraine that year. The malware provided attackers with full remote control over compromised systems, enabling intelligence collection. CERT Ukraine and SBU published indicators of compromise (IOCs) on their official website and Facebook channel, urging organizations to scan networks for signs of infiltration.
This incident followed a pattern of sustained cyber operations against Ukraine since Russia’s 2014 invasion of eastern territories. While high-profile attacks like NotPetya, Bad Rabbit, and power grid disruptions received global attention, Ukrainian officials noted that smaller-scale spear-phishing campaigns—such as this June 2021 operation—represented the most frequent threat vector. CERT Ukraine highlighted similarities between this campaign and earlier attacks in January and March 2021, all aimed at establishing footholds for espionage. Russian actors occasionally diversified tactics beyond phishing; in February 2021, Ukraine’s National Security and Defense Council reported Russian state-backed DDoS attacks against government websites, followed by the Gamaredon group’s compromise of a government file-sharing system to distribute malicious documents internally. The SBU’s public attribution reinforced Ukraine’s consistent stance of linking such cyber activities to Russian intelligence services amid ongoing geopolitical tensions.