Pro-Russian Hackers Pose as Ukraine’s Cyber Agency to Target Government and Business Victims

What happened

A pro-Russian hacking group posed as CERT-UA, Ukraine’s national cyber incident response team, in a phishing campaign targeting government agencies, businesses, and other institutions. According to CERT-UA, the attackers, tracked as UAC-0255, sent emails last week warning recipients about a supposed large-scale Russian cyberattack against Ukrainian critical infrastructure. The messages urged targets to download a password-protected archive from Files.fm and install what was described as protective security software. CERT-UA said the archive actually contained a remote administration tool called AgeWheeze, which can execute commands, manage files and processes, stream screen content, emulate mouse and keyboard input, and access the clipboard. The campaign targeted government institutions, medical centers, financial companies, security firms, universities, and software developers. 

Who is affected

The direct exposure affects organizations in Ukraine that received the phishing emails, including government institutions, medical centers, financial companies, security firms, universities, and software developers. CERT-UA said the campaign resulted in only a small number of infections, mainly on personal devices belonging to employees of educational institutions. 

Why CISOs should care

This matters because the campaign used the identity of a trusted national cyber authority to increase the credibility of the lure and drive malware installation. It also shows how phishing operations can target multiple sectors at once while shifting actual compromise onto employee devices outside core enterprise infrastructure. 

3 practical actions

1. Treat trusted-brand impersonation as a live risk: Make sure employees know that even messages appearing to come from national cyber authorities or internal security teams still require verification before software is downloaded or run. 
2. Watch personal-device exposure closely: Include employee-owned devices in response scoping where feasible, since CERT-UA said the small number of infections it observed were mainly on personal devices used by staff at educational institutions. 
3. Hunt for remote administration activity: Investigate whether any systems show signs of AgeWheeze-style remote control behavior, including command execution, file handling, screen streaming, and clipboard access. 

For more news about phishing-led intrusions and malicious access tools, click Malware to read more.