Military operations software in Ukraine was hit by Russian hackers

Hackers targeted software critical to Ukraine’s military efforts with information-stealing malware, Ukraine’s Computer Emergency Response Team (CERT-UA) reported last week.

The attackers sent messages in mid-December from a hacked email address belonging to a Ukraine Ministry of Defense employee to users of the program, which is called Delta. CERT-UA publicized the incident a few days later, on December 18. 

Military commanders and soldiers have access to the platform, which is the “eyes” of the Ukrainian armed forces. It collects data on everything happening on the ground, in the sea, in the air, in space, and in cyberspace using drones, satellite images, electronic warfare systems, or surveillance cameras.

The hackers’ messages included fake warnings to update digital certificates commonly used for encryption and authentication.

The malicious emails contained a PDF document instructing users to upload a ZIP archive with digitally signed executable files protected by VMProtect, a Russian-made security software. 

Each step simulated the certificate installation process but actually infected victim computers with two malware strains — FateGrab and StealDeal, which steal documents, emails and internet browsing data.

“Enemy hackers constantly attack the system and its users,” said the spokesperson of the innovation department at the Ministry of Defense. She asked not to mention her name for security reasons. “It proves the system’s popularity and demand among the military, and the danger it poses to the enemy.”

This was, however, the first social engineering attack on the system, when hackers gain the trust of their targets and trick them into making security mistakes or giving away sensitive information. 

“We respond immediately to user compromises, so this incident has been detained in the preparation stage,” the innovation department’s spokesperson told The Record.

Information in Delta’s system is constantly updated, helping the military to make quick decisions on the battlefield. The system reportedly helped Ukraine to sink Russian flagship Moskva worth nearly $750 million, according to Forbes.

This latest cyberattack on Delta took place last week when Ukraine presented the system at NATO headquarters, according to a spokesperson of the innovation department.

In a previous attack in August, Russian attackers created a phishing site imitating Delta and obtained the data of one of the users who logged into the fake system, one of Delta's developers told The Record.

Kremlin-backed threat actors also hacked the personal Instagram page of Valerii Zaluzhny, head of Ukraine's armed forces, where they announced the Delta hack early in November.

The hackers gained only limited access to information at Delta, but Russian propaganda used the incident to spread news about the system’s “security failures.”

According to Delta developers, cybersecurity is their priority.

The system has multi-level protection against cyberattacks. For example, system developers who have access to users' personal data must regularly pass a polygraph test. The system also has protocols for recognizing patterns of suspicious behavior. Ukraine’s international partners regularly check the system for vulnerabilities, the innovation department’s spokesperson told The Record.

Correction: Due to an editing error, an earlier version of this story said the military operations software was breached when it was only targeted by hackers.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.