The Ukrainian Government’s Computer Emergency Response Team (CERT-UA) said it uncovered a malicious campaign against the information and communication systems (ICS) of nearly twenty energy, water, and heating supply companies across ten regions of Ukraine.
The targeted attacks, that has been ongoing since the first quarter of 2024, were orchestrated by the threat actor identified as UAC-0212, a subcluster of the notorious UAC-0002 (Sandworm, APT44, Seashell Blizzard).
The threat group’s activities, linked to critical sectors such as energy, water supply, and heating, are tracked as a threat activity cluster UAC-0133, with a high level of certainty indicating its connection to UAC-0002.
By mid-2024, the group began to employ new tactics, techniques, and procedures (TTPs). One of the methods involved sending malicious PDF documents with embedded links. Upon clicking these links, exploiting a security features bypass vulnerability (CVE-2024-38213), a malicious LNK file (with the extension "pdf.lnk") was downloaded onto the victim's system. The file executed a PowerShell command to trigger the loading of a decoy document, along with the download of EXE/DLL files designed for persistence on the compromised system.
The malware used in these attacks included sophisticated tools such as Secondbest, Empirepast, Spark, and Crookbag (a GoLang-based loader). In some cases, attackers also utilized RSYNC for long-term document theft.
Between July 2024 and February 2025, a series of related campaigns were observed. The threat group specifically targeted supplier companies based in Serbia, the Czech Republic, and Ukraine, although the geographic scope of these attacks extended beyond these countries. In August 2024 alone, at least twelve Ukrainian logistics companies specializing in freight transport by road, air, and sea (including those dealing with hazardous and perishable goods) were focused on by the attackers.
Furthermore, between January 2025 and February 20, 2025, cyberattacks were launched against four Ukrainian companies engaged in the design and production of equipment for drying, transporting, and storing grain, including the construction of elevators. Additionally, at least 25 Ukrainian enterprises specializing in the development of Automated Control Systems (ACS) and related electrical installation work were also targeted.
The initial phase of the attack typically begins with attackers posing as potential clients. Over several days, they engage in correspondence with the targeted organization, eventually leading the victim to download a "technical document" in the form of a manipulated PDF file.
This activity is tracked under the UAC-0212 identifier. CERT-UA’s advisory contains a set of cyber threat indicators and examples of the attack chain.