Ukrainian railway, state agencies allegedly targeted by DolphinCape malware

Ukrainian government agencies and the state railway are the latest victims of a new wave of phishing attacks, Ukraine’s Computer Emergency Response Team (CERT-UA) reported last week.

The attacks involved an email campaign in which hackers sent out messages purportedly on behalf of Ukraine’s State Emergency Service with tips on how to identify a kamikaze drone, capitalizing on fears over the Russian use of Iranian-made Shahed-136 kamikaze drones to target crucial energy infrastructure in Ukraine. 

The attackers, tracked by CERT-UA as UAC-0140, used the emails to distribute the DolphinCape malware, developed with the Delphi programming language.

This malicious software collects information about the compromised computer, including hostname, username, bitrate, and OS version, runs executable files, extracts other data, and takes screenshots of the targeted device. The report is the first mention among researchers of DolphinCape.

Phishing attacks are common in Ukraine, and account for close to 60-70 percent of all cyber attacks, according to Ukraine’s top cybersecurity official Yurii Shchyhol. The main problem in preventing them, according to Shchyhol, is the lack of knowledge among government officials and ordinary citizens about how to recognize a phishing email.

The hackers behind phishing attacks often disguise themselves as representatives of government agencies, including the General Staff of the Armed Forces of Ukraine, the Security Service of Ukraine, and even CERT-UA.

Most of these attacks are not attributed to a specific hacker group, but Ukrainian security officials believe that Russian actors are behind most of the attacks.

Among their most popular targets are transport companies, government agencies, and security services, according to the data obtained by The Record. 

At least one-fifth of the Russian cyberattacks are synchronized with physical attacks, including missile strikes on Ukraine's critical infrastructure, Shchyhol told The Record. 

According to him, Ukraine expects an increase in the number of cyberattacks in the coming months, in particular on the energy infrastructure, which is already suffering from Russian missile strikes.

As of November, Russia has damaged about 40% of Ukraine's energy infrastructure, including all thermal and hydroelectric power plants. These attacks occur daily, prompting the government to impose nationwide blackouts. On Dec. 10, nearly 300,000 people were left without electricity due to Russia's drone attacks on several energy facilities in the port city of Odesa.