Hackers are pretending to be drone companies and state agencies to spy on Ukrainian victims
Hackers are impersonating Ukranian drone manufacturers and state agencies to infect targeted systems with information-stealing malware, according to new government research.
The targets of these attacks include Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, which is close to Russia.
Ukraine’s computer emergency response team (CERT-UA), which has been tracking this activity since February, has not attributed the campaign to any known hacker group. They track the threat actor behind it as UAC-0226.
To infect their targets, the hackers sent emails with malicious document attachments from compromised accounts, including webmail. The file names or subject lines of these emails often referenced topics like landmine clearance, administrative fines, drone production, or compensation for destroyed property.
As of April, the hackers have deployed two types of malware against their targets. One is a script based on code publicly available on a GitHub repository. The second, named GiftedCrook, is designed to steal browser data — such as cookies, histor, and saved passwords — from Chrome, Edge and Firefox. The stolen data is then compressed and sent to Telegram for exfiltration, according to CERT-UA.
Researchers have not provided many details about the attacks but have included examples of phishing emails, including one that lists pictures of drones allegedly offered for sale and another that looks like a schedule for demining in one of Ukraine’s cities.
CERT-UA recently reported discovering at least three cyberattacks in March targeting Ukrainian government agencies and critical infrastructure with new spying malware dubbed Wrecksteel.
In that campaign, the hackers used compromised accounts to send messages containing links to public file-sharing services, such as DropMeFiles and Google Drive. When opened, the links executed a PowerShell script, enabling attackers to extract text documents, PDFs, images and presentations, as well as take screenshots from infected devices.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.