In a recent cyber incident, the Ukrainian Cyber Emergency Response Team (CERT-UA) uncovered a targeted phishing campaign orchestrated by threat actor UAC-0215. This campaign, aimed at Ukraine’s critical infrastructure, specifically targeted government agencies, industrial sectors, and military entities with phishing emails disguised as legitimate communications promoting integration with platforms like Amazon, Microsoft, and Zero Trust Architecture (ZTA). These emails contained malicious Remote Desktop Protocol (.rdp) files, which, once opened, compromised the victim’s systems by connecting them to attacker-controlled servers.

The technical sophistication of this attack involved leveraging malicious .rdp files that, when executed, established a direct line to the attacker’s servers. This connection enabled unauthorised access to sensitive resources, allowing attackers to execute malicious code and potentially exfiltrate critical data from Ukrainian government and military networks. This campaign, reportedly launched in August and detected on a large scale by October 2024, is recognized internationally as a high-risk threat, endangering both Ukrainian and potentially global security infrastructure.

Key Takeaways:

• Targeted Sector: Critical infrastructure sectors in Ukraine, including government, industrial, and military entities.
• Attack Mechanism: Phishing emails containing malicious .rdp files that, when opened, connect to attacker-controlled servers.
• Technical Approach: Unauthorised access and potential data exfiltration achieved through remote desktop connections.
• International Security Impact: Recognized as a significant threat to national security by multiple cybersecurity organisations worldwide.
• Mitigation Recommendations: Enhanced email filtering for .rdp files, restricted execution privileges, and specific Group Policy and firewall rules to limit RDP vulnerabilities.

The UAC-0215 phishing campaign exemplifies the increasing complexity of cyber threats against national infrastructure. By exploiting RDP vulnerabilities, attackers can covertly gain access to critical systems, risking national security and potentially expanding their reach beyond Ukraine. These threats highlight the importance of heightened cybersecurity measures, especially for sensitive sectors.

Source and further reading.

Mishra, A., & Mishra, A. (2024, November 4). Sophisticated phishing attack targeting Ukraine military sectors. GBHackers Security | #1 Globally Trusted Cyber Security News Platform. https://gbhackers.com/sophisticated-phishing-attack/amp/

Subhra, T. (2024, September 3). Sensitive information of VirusTotal users exposed in data leak. GBHackers Security | #1 Globally Trusted Cyber Security News Platform. https://gbhackers.com/virustotal-users-data-leak/#google_vignette