UAC-0056 group launch disruptive attacks against Ukrainian government websites planned over one year earlier

According to information dated February 28, 2023, the Russian-linked sponsored group UAC-0056 was observed in malicious campaigns targeting Ukraine by exploiting the phishing attack vector in July 2022. 

In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors. 

On February 23, 2023, CISA issued an alert urging US and European organisations to increase their cyber vigilance in response to potential cyber attacks by Russian attackers, following the detection of malicious disruptive activity against Ukrainian government websites. Researchers found that the adversary activity could be attributed to the hacking collective UAC-0056 or Ember Bear, an alleged Russian-backed cyber espionage group. 

The threat actors communicated with the web shell using IP addresses, including those belonging to neighbouring devices of other hacked organisations due to their previous account abuse and additional VPN connection to the corresponding organisations. 

The hackers also applied other malware samples, including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor. 

Read more about it : here