Ukraine tracks emailed bomb threats to Russia-linked group

A hacker group tracked as UAC-0050 may be behind a recent large-scale information campaign targeting Ukrainian institutions with emails warning of a terrorist attack.

In a report released this week, Ukraine’s computer emergency response team (CERT-UA) linked UAC-0050 to a psychological operation with the name Fire Cells Group. The campaign included emails claiming that bombs were planted inside Ukrainian institutions.

Among the targets were nearly 60 Ukrainian embassies around the world, as well as media outlets and state agencies. Their employees were forced to evacuate or suspend services while police searched for alleged explosive devices. According to the investigation, all alerts were false and were likely part of Russian intelligence agencies’ hybrid war against Ukraine. 

European authorities warned earlier this month about similar Russian efforts to destabilize institutions across the continent.

Nearly 2,000 Ukrainian organizations received bomb threats this week — most of them originating from Russian IP addresses, the police reported.

In an example of a Fire Cells Group email published by CERT-UA, the operation claimed to have planted explosives at several locations in Ukraine and blamed journalists from the local branch of Radio Free Europe/Radio Liberty (RFE/RL) for inspiring the attack.

Although the emails do not specify why RFE/RL angered the group, the U.S. government-funded media outlet stated that the latest threats followed an investigation by three of its reporters about how Russian intelligence services recruit Ukrainians, including minors, to set fire to the cars of Ukrainian military personnel and representatives of conscription centers.

#Ukraine: Emails threatening a terrorist attack were sent to hundreds of Ukrainian media outlets, organizations, and institutions, prompting evacuations. Emails specifically named @RFERL journalists #IrynaSysak, @ValeriaEgoshyna, and freelancer #YuliaKhymeryk, blaming their… pic.twitter.com/QYutMioRjs

— #WomenInJournalism (@CFWIJ) October 15, 2024

“We will not be intimidated and stand behind our reporters, who will continue to bring news to Ukrainian audiences without fear or favor," said Stephen Capus, president of RFE/RL.

On its Telegram channel, which has nearly 10,000 followers, Fire Cells Group had spread calls to burn cars belonging to Ukrainian personnel — including images of the results of previous arson attacks. The channel offered $100 to those who agreed to participate in future operations, according to RFE/RL.

In other examples of Fire Cells Group’s emails shared by CERT-UA, the threat actor offered to "kill for a fee" top security officials and public figures. Ukrainian security officials said that the goal of this campaign was to “destabilize” the situation in Ukraine.

Recorded Future News reached out to CERT-UA to request more details about UAC-0050's link to the recent bomb threat campaign but had not received a comment at the time of writing.

What is UAC-0050?

According to the CERT-UA report, Fire Cells Group is just a fraction of UAC-0050's activity. This threat actor has been active since at least 2020, targeting government agencies not only in Ukraine but also in the Baltic states and Russia.

The group’s other objectives include cyberespionage and financial theft. Over the past two months, UAC-0050 has made at least 30 attempts to steal money from Ukrainian enterprises, gaining access to their systems using a surveillance tool called Remcos.

“The ability to fund their own criminal activities has led to an increase in the group’s cyberattacks,” CERT-UA stated, adding that the hackers could use the stolen money to purchase licensed and unlicensed software, including Remcos, MeduzaStealer, LummaStealer, XemoRat, DarktrackRat, and others.

UAC-0050 has also improved its cyberespionage techniques over time, becoming more efficient and stealthy, according to a recent report by the cybersecurity firm Uptycs. The group primarily targets Ukrainian government agencies to steal their secrets, mostly using phishing emails disguised as job offers or requests from law enforcement to gain initial access to targeted systems.

“The group's activities pose an undeniable risk, especially to government sectors reliant on Windows systems,” researchers warned.