Recent investigations have uncovered the involvement of former Conti cybercrime group members in multiple campaigns targeting Ukraine from April through August 2022. According to Google’s Threat Analysis Group (TAG), these cyber operations reflect a strategic continuation of prior attacks against the Eastern European nation amidst the ongoing Russo-Ukrainian conflict.
The TAG report builds upon earlier findings that highlighted ongoing cyber threats aimed at Ukraine, emphasizing a pronounced increase in activity by the cybercriminal faction identified as UAC-0098. This group has historically facilitated the deployment of the IcedID banking trojan, which has paved the way for human-operated ransomware incidents, as detailed by TAG researcher Pierre-Marc Bureau.
The primary targets of these cyberattacks have been Ukrainian governmental entities, humanitarian organizations, and various sectors within critical infrastructure. Reports indicate a notable shift in focus toward compromising Ukrainian organizations, demonstrating a stark evolution in tactics employed by UAC-0098.
UAC-0098 is believed to have acted as an initial access broker for ransomware groups such as Quantum and Conti, which was notably prominent in early 2022. This collaborative effort underlines a trend where financially motivated cybercriminals are increasingly aligning their activities with geopolitical dynamics, particularly in regions experiencing conflict.
Notably, one of the significant campaigns unfolded in June 2022, wherein the group exploited the Follina vulnerability (CVE-2022-30190) within Windows to deploy malware such as CrescentImp and Cobalt Strike onto targeted media and critical infrastructure entities. These operations were not isolated; they formed part of a broader strategy initiated in late April 2022, which included email phishing campaigns aimed at distributing the AnchorMail variant—a sophisticated TrickBot implant using SMTP for command-and-control functions.
Subsequent phishing campaigns targeted Ukrainian organizations across various sectors, including hospitality, employing tactics such as impersonating the National Cyber Police of Ukraine and renowned personalities like Elon Musk with StarLink connections. Such strategies facilitated the successful infiltration of organizations that were already under pressure from ongoing geopolitical tensions.
Mid-May saw UAC-0098 leveraging a compromised account from a hotel in India to disseminate malware-laden attachments to Ukrainian hospitality businesses. This tactic eventually evolved to target humanitarian NGOs based in Italy, showcasing the group’s expansive reach and adaptability to exploit vulnerabilities created by the ongoing conflict.
Cyberattacks have also been directed towards technology, retail, and government sectors, using the IcedID binary disguised as a Microsoft update to facilitate infections. Though post-compromise actions remain unidentified, the initial access vectors employed align with tactics listed in the MITRE ATT&CK Matrix, specifically involving initial access via phishing and exploitation of known vulnerabilities.
The activities of UAC-0098 are representative of the shifting landscape of cyber threats, blurring the lines between organized crime and state-sponsored initiatives. Companies should remain vigilant and informed as threat actors increasingly modify their targeting strategies in alignment with evolving geopolitical interests. This highlights the necessity for robust cybersecurity measures, particularly as adversaries demonstrate a sustained interest in sectors critical to national and international security.
