Hackers-for-hire target Ukrainian notaries to manipulate state registries

Ukraine’s state cyber response team (CERT-UA) warned that hackers are targeting notaries' computers in an attempt to gain remote access and manipulate government registries.

The hacking group, identified as UAC-0173, has been distributing phishing emails since mid-January, posing as regional offices of Ukraine’s Ministry of Justice, authorities said in a report released on Tuesday.

Earlier in December, suspected Russian military intelligence hackers breached the infrastructure of Ukraine’s state registers, which are managed by the Justice Ministry, disrupting services for several weeks.

It remains unclear whether the attack on state registries is linked to or was exploited by the UAC-0173 campaign against notaries. This is not the first time the group has targeted the Ukrainian justice system. In a campaign last August, it deployed AsyncRAT malware on victims’ devices.

According to CERT-UA, the group is likely conducting the attacks for hire and receiving a financial reward from an unnamed source.

In its latest operation, UAC-0173 infected the targeted computers with DarkCrystal malware — a commercial Russian backdoor that appears to have been developed and maintained by a single person and sold predominantly on Russian underground forums since 2019.

According to previous reports, DarkCrystal is one of the cheapest commercial malware of its kind, only costing about $6 for a two-month subscription. The backdoor can be used for surveillance, reconnaissance, information theft, denial-of-service attacks, as well as code execution in a variety of different languages.

In the campaign against Ukrainian notaries, UAC-0173 also used various utilities to bypass security controls, scan networks, intercept authentication data, and steal credentials, the authorities said. In some cases, compromised computers were leveraged to send further waves of phishing.

Researchers said they identified affected computers in six regions and prevented unauthorized registry modifications, in some cases stopping attacks at their final stages.

Over the weekend, CERT-UA also warned of another threat actor targeting Ukrainian and foreign enterprises, including manufacturers and suppliers of automated systems used to monitor and control industrial processes.

Since July, the hacker group tracked as UAC-0212 has targeted suppliers from Serbia, Czechia and Ukraine with various malware variants, such as EmpirePast, Spark and CrookBag. Researchers believe the group is linked to the notorious Russian threat actor Sandworm.

Over the past two months, the group has also attacked several Ukrainian enterprises specializing in the design and production of equipment for drying, transporting, and storing grain.

The likely goal of these attacks was to compromise the computer networks of service providers, with the aim of further using the obtained data to hack Ukraine's critical industrial enterprises, the cyber agency said.