Possible APT28-linked hackers target Ukraine’s scientific institutions

A recent cyber-espionage campaign targeting Ukraine’s scientific and research institutions has been linked to APT28, a Kremlin-backed group associated with Russia’s military intelligence (GRU). Researchers from CERT-UA identified the involvement of the UAC-0063 group, which used malware strains Hatvibe and Cherryspy in July attacks. Hatvibe enables the execution of additional files on infected devices, while Cherryspy allows attackers to run Python code remotely.
The hackers initially compromised an employee’s email account at a Ukrainian institution, replacing a legitimate email attachment with a malicious one before forwarding it to multiple recipients. CERT-UA reported that UAC-0063 has employed diverse tactics, including exploiting vulnerabilities in the HFS web server application.
While UAC-0063 was first identified in 2021, its origins remain unclear. The group has also shown interest in targeting other countries, including Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Additionally, researchers discovered evidence of attacks on Armenia’s Ministry of Defense.
APT28 has a history of significant cyberattacks against Ukraine and its allies, including hacking Germany’s Social Democratic Party and conducting espionage campaigns in Poland and the Czech Republic. This latest campaign underscores the persistent threat posed by APT28 and the need for robust cybersecurity measures.