New joint TAG/Mandiant research on a hybrid Russian espionage/influence campaign (UNC5812) targeting potential Ukrainian military recruits with malware and spreading anti-mobilization narratives
cloud.google.com/blog/topics/th…
UNC5812 is using the persona Civil Defense to (a) deliver commodity malware masked as software that claims to share crowdsourced locations of Ukrainian military recruiters and (b) solicit & share content it can use to discredit the 🇺🇦 military and its mobilization efforts.
To maximize the reach of its campaign, we judge UNC5812 is likely purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels like the missile alert and news channels shown below.
At the time of analysis, only Android and Windows malware was available. But the group’s website points to likely future intent to expand capability to macOS and iPhones as well.
Notably, some significant effort was invested in social engineering here. Take for example, the below video posted on the CIvil Defense FAQ section to encourage victims to circumvent Google Play protections / justify the extensive permissions for the Android malware to run.
We judge this campaign part of wider 🇷🇺 efforts to undermine Ukraine’s recruitment drive. See here UNC5812's Telegram and a Russian government X account sharing the same video in close proximity, underscoring Moscow’s cross-cutting focus on promoting anti-mobilization narratives.
Much credit in making sure this campaign failed goes to Ukraine's national authorities, who took swift action to disrupt the campaign's reach by blocking resolution of the actor-controlled "Civil Defense" website nationally. #StrongerTogether
cip.gov.ua/ua/news/rozpor…
Related IOCs can be found in the following VirusTotal collection:
virustotal.com/gui/collection…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.