Ukrainian soldiers’ apps increasingly targeted for spying, cyber agency warns

Hackers are increasingly trying to plant data-stealing malware on messaging apps used by the Ukrainian armed forces, according to the latest report from the country’s computer emergency response team, CERT-UA.

The agency is attributing the surge to a group tracked as UAC-0184, which was spotted in February targeting an unnamed Ukrainian entity in Finland. CERT-UA does not attribute UAC-0184’s activity to any specific foreign cyberthreat group

CERT-UA urged soldiers to be careful when using apps, noting that “any careless online activity of a serviceman (for example, posting a photo in military uniform) makes it easier for attackers to identify priority targets” for physical attacks.

The agency didn’t disclose whether the cyber-espionage attempts were successful or how many Ukrainian military personnel were affected.

According to CERT-UA’s report, UAC-0184 deploys a variety of custom and open-source malware against Ukrainian targets, including HijackLoader, to gain access to a system. A favorite tool is Remcos — legitimate remote-access software that can be abused by malicious hackers.   

Other malware used by UAC-0184 over the past year, according to CERT-UA, includes ViottoKeylogger, XWorm, Tusc and Sigtop. The latter is used by hackers to export messages, attachments, and other data from the Signal app for desktop.

To trick victims into opening malicious files, hackers disguise them as fake court documents, videos from the frontlines or archives.

Before the war, Ukraine considered creating its own secure app for the military, similar to Threema in Switzerland. However, most Ukrainian soldiers are still using popular services like Telegram, Signal, Viber and WhatsApp. 

Researchers have previously warned about cyberattacks carried out by Russian hackers targeting Ukraine’s military messaging apps. In a report released this week, Google-owned Mandiant said that Russia-backed Sandworm hackers established an infrastructure allowing Russian military forces to exfiltrate encrypted Telegram and Signal communications from mobile devices captured on the battlefield.

Last July, CERT-UA discovered a campaign by the Russian hacking group Turla, which targeted Ukrainian defense forces with spying malware. The threat actor’s goal was to exfiltrate files containing messages from Signal, allowing the actor to read private conversations, as well as access documents, images, and archive files on targeted systems.