Suspected Russian hackers target Ukrainian defence companies

Contractor employees targeted with phishing attacks

Image:

Hacking group is linked to Russian government

Suspected Russian hackers have been targeting Ukrainian military contractors in a new espionage campaign, according to a new report.

Ukraine’s Computer Emergency Response Team (CERT-UA) said in a report published over the weekend that a hacking group has been targeting the country’s defence and military companies with phishing attacks.

CERT-UA identified the hacking group as UAC-0185 — also known as UNC4221 — without saying who was behind the group. Earlier this year, however, a cybersecurity company linked that group to the Russian government and the tactics deployed show characteristics associated with Moscow-backed groups.

The group has primarily targeted Ukrainian military personnel by stealing credentials through messaging apps such as Signal, Telegram and WhatsApp, as well as through local military systems like Delta, Teneta and Kropyva.

According to CERT-UA, the hackers sent emails purporting to be from the Ukrainian League of Industrialists and Entrepreneurs, which calls itself “Ukraine’s largest union of business organizations and economic agents.” The emails were designed to look like an invitation to a genuine conference in Kyiv last week.

The target was employees working for Ukraine’s defence and military contractors.

The attackers are selectively carrying out cyberattacks to gain unauthorized remote access to the computers of employees within Ukraine's defence-industrial complex and defence forces.

The group employs well-known tools to infect their victims’ devices, including MeshAgent and UltraVNC — an open-source software used to remotely manage computer systems. In August this year, the threat actor tracked as UAC-0198 used backdoor malware based on MeshAgent to infect over 100 Ukrainian state computers.

This attack fits with the shifting pattern identified by Google Cloud in its 2025 cybersecurity forecast which identified a change in tactics by Russian hacking groups which have pivoted away from attacking civilian targets and infrastructure towards targeting frontline infrastructure.

Earlier in July, the threat actor tracked as UAC-0180 attempted to gain access to the systems of Ukrainian defence companies using malicious emails disguised as drone procurement contracts.