Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Renewed Info Stealer Campaign Targets Ukrainian Military

CERT-UA Says Threat Actor 'Vermin' Used Syncthing Application
Renewed Info Stealer Campaign Targets Ukrainian Military
A U.S. HIMARS system launches ordnance during an exercise in Alaska in October 2020. (Image: U.S. Air Force)

Ukrainian cyber defenders said Russian intelligence hackers operating from the occupied Donbas city of Luhansk targeted military email inboxes with an info stealer.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The Computer Emergency Response Team of Ukraine on Thursday said a group it tracks as UAC-0020 - also known as "Vermin" - deployed a malware strain dubbed "Spectr" as part of a spear-phishing campaign.

The phishing email appears to contain password-protected information about a gun turret. An attachment contains an archive folder with three files: a decoy PDF, an executable file and a batch file. The executable contains Spectr malware bundled with a modified version of Syncthing, a legitimate open-source, peer-to-peer synchronization application. The hackers made modifications that included disabling the user notifications of Syncthing.

The malware steals documents, files, passwords and other information - including data from the victims' Telegram, Signal and Skype accounts - from the infected device while operating in the background.

The info stealer copies the exfiltrated data into a subfolder and transfers it using the file-sharing app.

CERT-UA called the campaign "no-so-successful," dubbing it "SIckSync." Ukraine said Vermin is an operation of Luhansk law enforcement agencies. That region of Ukraine operated with the support of Russian-backed paramilitaries as a breakaway state from 2014 until 2022, when Russia putatively annexed it.

Vermin's last known operation was in March 2022, when Ukrainian cyber defenders said they detected a similar campaign deploying Spectr malware.

The Russia-Ukraine war is now in its third year. Russia in May opened a new battlefront in the Kharkiv region, and the Institute for the Study of War said on Wednesday that "Russian forces are attempting to make tactically and operationally significant gains" before renewed U.S. military assistance arrives at the front line at scale. U.S. President Joe Biden in May approved Ukrainian use of artillery to strike Russian forces in Russia. The New York Times reported Wednesday that a Ukrainian member of parliament said armed forces used that permission to destroy Russian missile launchers in the Belgorod region using an American High Mobility Artillery Rocket System.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.