The UAC-0099 hacking collective has been launching cyber-espionage attacks against Ukraine, with a spike in malicious activity observed throughout November-December 2024 targeted at Ukrainian government entities.
The group has been using phishing as an attack vector and spreading LONEPAGE malware.
The continuous rise in cyberattacks against government agencies in Ukraine calls for stronger defense measures against CVE-2023-38831 exploitation and LONEPAGE malware distribution.
The latest CERT-UA alerts focus on UAC-0099's adversary operations that span November and December 2024.
All detections are mapped to the MITRE ATT&CK® framework to enhance threat research, including CTI and other important metadata.
In addition, teams can accelerate IOC packaging and retrospective hunting of the group's TTPs.
The UAC-0099 group has been observed launching cyberattacks against forestry departments, forensic institutions, factories, and public sector agencies.
The group uses phishing emails, containing attachments in the form of double archives with LNK or HTA files. Some archives include an exploit for the known WinRAR vulnerability CVE-2023-38831. Once successfully compromised, the LONEPAGE malware executes on the affected machines, enabling command execution.
Leveraging MITRE ATT&CK helps security teams gain insight into UAC-0099 TTPs used in cyber-espionage campaigns against Ukraine.
The expanding scope of UAC-0099's cyber-espionage campaigns, combined with its shifting methods, tools, and targets, highlights the critical need for improved cyber vigilance to counter the group's adaptability effectively.