Cyber Incident Victim: ICTV
Date:
Mar 2022
Location:
Ukraine
Summary
A cyberespionage group known as UAC-0056 targeted a Ukrainian private TV channel through spear-phishing emails containing macro-embedded Excel documents, deploying a multi-stage malware chain. The attack initiated with an Elephant Dropper that downloaded subsequent payloads, including an Elephant Downloader for persistence and an Elephant Implant (GrimPlant backdoor) facilitating encrypted C2 communication via gRPC. The final payload, Elephant Client (GraphSteel), exfiltrated sensitive data by stealing credentials from browsers, Wi-Fi networks, credential managers, email accounts, Putty sessions, and FileZilla configurations. The threat actor leveraged stolen Microsoft certificates and encoded strings throughout the attack, while historical ties to disruptive wiper attacks against Ukrainian entities indicate broader disruptive intent alongside espionage objectives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyberespionage group UAC-0056, also tracked as SaintBear, UNC2589, and TA471, conducted a multi-stage malware campaign targeting Ukrainian entities including private television channel ICTV between March 23-28, 2022. Attackers distributed spear-phishing emails with subjects referencing "wage arrears," containing macro-embedded Excel attachments that appeared to address salary payment issues. When opened, the document executed a hidden macro that extracted and deployed an initial payload called "base-update.exe" to the victim's Temp directory, using code adapted from public Excel file-embedding techniques. This executable, identified as the Elephant Dropper, was written in Go and signed with a stolen Microsoft certificate. The dropper created a directory under "C:Users{user}.java-sdk" and downloaded a Base64-encoded secondary payload named "java-sdk.exe" from attacker-controlled infrastructure.
The subsequent Elephant Downloader payload established persistence through registry auto-run keys and retrieved two additional components: oracle-java.exe (Elephant Implant/GrimPlant backdoor) and microsoft-cortana.exe (Elephant Client/GraphSteel stealer). The implant utilized gRPC with embedded TLS certificates to communicate with command-and-control servers on port 80, collecting system identifiers via MachineID library and OS data including hostname, CPU count, and public IP from api.ipify.org. The final-stage GraphSteel payload exfiltrated Base64-encoded system profiles before harvesting credentials from browsers, Wi-Fi networks, Windows Credential Manager, email clients, Putty sessions, and Filezilla configurations. This campaign represented an evolution of UAC-0056's tactics, shifting from fake translation software and URL-based payload delivery observed in prior operations. The group had previously deployed WhisperGate wiper malware against Ukrainian government systems in January 2022 and was linked to March 2022 attacks using GrimPlant and Cobalt Strike Beacon against state organizations.