A sophisticated malware operation has been launched by Russian hackers through Telegram, specifically targeting Ukrainian military recruits. Posing as recruitment-related tools, this malware is designed to exfiltrate sensitive data while disseminating false information, thereby undermining Ukraine’s defense efforts.
A recent report from Google’s Threat Intelligence Group (TAG) reveals a cyber campaign directed at Ukrainian men eligible for military service. This operation is attributed to state-sponsored Russian hackers, particularly a collective known as UNC5812, which employs both malware and disinformation as critical components of its strategy.
As of early October 2024, reports indicated a shift in Russian cyber tactics against Ukraine in the first half of the year, moving from broad-spectrum attacks to focused efforts targeting specific sectors, notably the military and defense.
The primary aim of this recent campaign is to infiltrate the devices of potential recruits. The attackers are distributing malicious software rebranded as tools to assist in the identification of recruitment centers. However, these applications harbor malware capable of compromising sensitive information, including browser cookies, keystrokes, and cryptocurrency wallet details.
To facilitate their operation, attackers have created an ostensibly legitimate online presence via a Telegram channel and a website named “Civil Defense.” While the website’s registration dates back to April 2024, the Telegram channel was launched in September.
These platforms lure users with the promise of valuable information and resources related to military conscription. Yet, once users download and install the purportedly helpful software, they inadvertently expose their devices to multiple strains of malware.
Windows users are primarily targeted with the Pronsis Loader, which installs the information-stealing malware known as PURESTEALER. In contrast, Android users face risks from the CRAXSRAT backdoor, a highly adaptable tool for data theft, surveillance, and remote device control.
To navigate past security barriers, attackers employ social engineering tactics, persuading victims to disable Google Play Protect and manually allow permissions for the malicious applications. This campaign also includes efforts to propagate disinformation aimed at sowing discord and diminishing morale among the Ukrainian populace.
The “Civil Defense” platform propagates anti-mobilization narratives and disseminates fabricated content regarding the war, urging users to share videos allegedly depicting misconduct at recruitment centers. A dedicated news section on the website is populated with spurious stories that distort the realities of mobilization, which are further amplified through pro-Russian social media channels.
The actions of the UNC5812 group reflect a continuing pattern of Russian cyber operations that seek to destabilize Ukraine. By targeting military recruits, these cyber adversaries threaten public confidence in Ukraine’s military capabilities, thereby jeopardizing national defense.
Researchers have noted that UNC5812 actively seeks new audiences by promoting its content across various Ukrainian-language social media channels. For instance, a Telegram channel with over 80,000 subscribers was observed disseminating information on the “Civil Defense” initiative on September 18, with continued promotional activity detected as recently as October 8.
In response to these cyber threats, Google has taken steps to identify and block malicious websites, incorporating them into its Safe Browsing program. The company is also working with Ukrainian authorities to restrict access to the campaign’s web presence within the country. Google Play Protect remains diligent in scanning devices for harmful applications, including those sourced from outside the Play Store.
This report offers insight into Russia’s multifaceted cyber strategy aimed at destabilizing Ukraine’s war effort. By leveraging the defenses provided by platforms such as Google and maintaining vigilance against these threats, users can help mitigate the potential impact of such campaigns. The tactics displayed in this operation may likely correspond with several MITRE ATT&CK techniques, notably initial access through social engineering and exploiting system vulnerabilities for persistence.
RELATED REPORTS
- Russia Responsible for Widespread Power Outage in Ukraine?
- Ukraine Blocks Russian Industroyer 2 Attack on Energy Provider
- Hackers Claim Data Breach at Russian Cybersecurity Firm Dr.Web
- Russian APT29 Using NSO Group-Style Exploits in Attacks, Google
- Russian Midnight Blizzard Breached UK Home Office via Microsoft
