Possible APT28-linked hackers target Ukraine’s scientific institutions

A new cyber-espionage campaign against Ukraine’s scientific and research institutions appears to have links to the Kremlin-backed group tracked as APT28, researchers say.

During attacks earlier in July, a group tracked as UAC-0063 used the known malware strains Hatvibe and Cherryspy, according to an analysis by Ukraine’s computer emergency response team (CERT-UA).

Cherryspy and Hatvibe were previously used by UAC-0063 in May in a cyber-espionage campaign targeting an undisclosed government agency in Ukraine. The Cherryspy backdoor allows the attacker to execute Python code received from a management server; Hatvibe can download and run other files on infected devices.

In the new analysis, researchers linked UAC-0063 with “medium confidence” to APT28, also known as Fancy Bear and BlueDelta, which is tied to Russia’s military intelligence (GRU).

Researchers initially detected activity associated with UAC-0063 in 2021, but the espionage group's origins remain unclear. In a previous report, CERT-UA said that, in addition to Ukraine, the threat actor “has also shown interest” in targeting Mongolia, Kazakhstan, Kyrgyzstan, Israel and India.

In the latest attack on an unspecified Ukrainian scientific and research institution, the hackers first obtained access to the email account of an employee, then forwarded a copy of a recently sent letter to dozens of recipients, replacing the original document attachment with a malicious one.

In June 2024, CERT-UA said it also recorded numerous cases of Hatvibe backdoor installation by exploiting a vulnerability in HFS, a web server application designed to facilitate the sharing and transfer of files over the internet via the HTTP protocol. This finding could mean that the hackers use various tactics for the initial compromise of their victims, researchers said.

In addition to Ukraine, UAC-0063 also likely targeted the defense ministry in Armenia, according to a malicious document discovered by the researchers on the VirusTotal repository.

APT28 hackers are believed to be behind several major attacks on Ukraine and its allies over the past several years. Last year, the group reportedly hacked the German Social Democratic Party.

In May, Poland said it observed a large-scale espionage campaign, likely carried out by APT28, targeting the country’s government institutions.

The Czech Ministry of Foreign Affairs said its intelligence services had been targeted by APT28, “exploiting a previously unknown vulnerability in Microsoft Outlook from 2023.”