Menu
Browse

Compromised Ukrainian Military Cyber Group

Aliases: 2 aliases
Primary URL Location Industry
Undetermined
Country Ukraine
Defense Icon
Defense
Profile

The organisation’s primary method involves exploiting compromised email accounts belonging to Ukrainian military personnel. These compromised accounts are used to send phishing messages to European government officials who manage refugee assistance programmes originating from Ukraine. The phishing emails contain macro‑laden Excel attachments that, when opened, execute malicious code. The malicious code deployed is the SunSeed malware, a Lua‑based downloader designed to establish persistence on the victim’s system. After establishing persistence, SunSeed beacons to attacker‑controlled command‑and‑control infrastructure to retrieve additional payloads. The campaign was observed on 2022-02-24, as detailed in a Proofpoint threat‑intelligence blog post.

Analysis indicates the activity is likely state‑sponsored and aligns with the tactics of the threat actor tracked as TA445, which operates from Belarus. TA445 has historically conducted disinformation operations that exploit refugee movements to undermine NATO cohesion. The specific campaign aimed to gather intelligence on transportation, funding, and population flows related to the refugee crisis. By obtaining such data, the actors seek to support hybrid warfare objectives, including exacerbating anti‑refugee sentiment among European populations. Another stated goal of the operation is to weaken Western support for Ukraine through the gathered intelligence and resulting influence efforts. The organisation is headquartered in Ukraine, according to the provided aliases and HQ location information. No further details about the organisation’s size, revenue, formal structure, or parent/subsidiary relationships are disclosed in the source material.

Incidents
Linked incidents available to members
1 incident