Targeted activity UAC-0212 against developers and suppliers of automation and process control solutions

Feb. 26, 2025, 10:24 a.m.

Description

In 2024-2025, UAC-0212, a subcluster of UAC-0002 (Sandworm), launched targeted cyberattacks against Ukrainian critical infrastructure and related industries. The actor employed new tactics, exploiting CVE-2024-38213 to deliver malware through PDF documents. Tools like SECONDBEST, EMPIREPAST, SPARK, and CROOKBAG were utilized. The campaign expanded to target logistics companies, grain equipment manufacturers, and automated control system developers in Ukraine, Serbia, and the Czech Republic. The attacks aimed to compromise industrial control systems in vital sectors such as energy, water, and heat supply. The threat actor's sophisticated approach involved initial social engineering, followed by rapid lateral movement within compromised networks.

External References

https://otx.alienvault.com/pulse/67bee4e567d977e4a07d1fe0
Tags
sandworm
supply chain
CVE-2024-38213
2025-02-26
crookbag

Date

  • Created: Feb. 26, 2025, 9:54 a.m.
  • Published: Feb. 26, 2025, 9:54 a.m.
  • Modified: Feb. 26, 2025, 10:24 a.m.

Indicators

  • fc609eb7870597eac2d7bab1b203003da7e2e6174a70347dea8b43ab4a573f44
  • fb63f962fc3adf2acc691f2d01d2765f11ac784b46ea1bdf23a192845f67f993
  • fc21c8281810ae89a236de986a79ff67cd81136d026daf138343c16b1e94a941
  • e9bf38e729ecbd3172fc3299ae1c3d68e6799c63920a887f534f1c39760b744f
  • f00c33c89c8468f112a9d54888eb37087e82b0732b7e587371426bfaf397eefa
  • d820357076dbe40c41c2925fc25bdd4ab2cb20e41194d1a2cf7c477f99e2f0e0
  • d4daf30ceee80c4f639f3aff6abeb95e7fbf11e125fb90f8972b7a92e22d22e5
  • d1229e52b7fc4b3fe62843b07ea6c5a132e5dbe5a797102b9bc3214e49c59642
  • bf3b92423ec8109b38cc4b27795624b65665a1f3a6a18dab29613d4415b4aa18
  • be248363c78f66fda1814f6a56332f92001c15b9f693763ec241ae1e2308624a
  • b8d97d29e99e1f96e06836468db56855dc09305e3ed663c720fe700ea4bf6e73
  • ac71520a18fa7fd5f67d8cb8800c732a3c78bb1e0815bcddfbc120bf9ca86d96
  • b53cf86e6860294fd6731f7db990d7d0f2329893d83f17934836207cf361062f
  • a7c9d719d640644eceb76fbb8821dc640448417a0212ce71ba57fcccd3dda444
  • a42058b9d627c20bb78151708328ab5fa01e13a663013a098c221e8d74e488e0
  • a17dc4cb60f398a8880b0a08535b405f546153ad100c381d1c3cc6861f6c0746
  • 9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2
  • 9bdf252eec4cf8a32cd92be3568e6187e80a80ecc5c528439312fb263cda8905
  • 9787a08d36f0fa3cfaac98ad7b1c7e1cd0f734dd357c9c6fd48568b631ecec37
  • 958006c2be14c75ac32c92bb0ff0b71d4b94e9e0f358335ed976952abb772eb0
  • 9365c3f24deb42aed4bd575739aceec40c2e97fef1603c0499887571553464bf
  • 8f51f8d5c5c4c3496af197dbfb99167af77b0d9b434297d70df5ecd7a167f74e
  • 87f692fcfcc4bf11385a4e11cd1578b5b40baefaf56071005e87e91edd10caf7
  • 87bd7f928b804f450a7f2a7d015c71eeefeff7ac6ef9920d49ddd0ef1a2a1fb9
  • 806b5269e7aa9c2c82ce247b30a3e92a4f7285b21e2bcf54c8ffad86bd92ea68
  • 7f6c6bfe7aaac358ba6ba6b4c4310d3f22ae5562f1876db8d92235d0cc3857ca
  • 7168a249f203b7bb4ee91a6e08acef5e3a1231c43c0fa9c2c4c43920522fbd1b
  • 616cf561124ce116e4b61a26e5d2fb4ba68126ba6f3df9a66e71f57f6914292e
  • 5c94e27f96c84d63573510fae4a0d37668efd5402e8c9254820de4be9ac2008a
  • 574af0bac6037364a9a333605c95b98856881906df62bda03bc15d5b97323a14
  • 5365eb873b3cf06015490eae0ed364ab08a913bf642d5f9043f3f0aed45d9588
  • 4a302c0ed3c47231bc7c34cf2d41bc0ceb60d9c7b0023df015f75a58853f43d2
  • 44f35b1025bede25144484a9a27bb8127aa89a89b162df0d6810f9d39ecacf35
  • 4289e4f8348eebc79d376d33ce2b71581e1409ad7cfa3d8fa4adef001acd6d26
  • 31d01e1ad3fccc3c1294ddcb37ccbacd755f25e373d815feb5e741060dd9ee8e
  • 36db27f5eb3343cfc72d261d78da44957a49cb6731acb50a96ea5694f4d616c5
  • 30f5db9a7982db6ac1a3f65f4eada76b24e9438c9cf733e7b0bc353e6c5c5a25
  • 27e9b90ed2bb01f73e03b6526b6ad9411de78233dee7f76e8af7477cbccfe9ef
  • 28d2c70bb31fc2be17ff15f5c07eea5f373563970ec210b3af343444222ef167
  • 244e004ac7149e2631d68cba947cfd3d5d5352536ecb352c410b6e80e09d874a
  • 0a2a18aac9f5683d4a65e402e22503d1b20a736d12ac71d0f1eff2f9bc0788a8
  • 1be7c11d50e38668e35760f32aac9f9536260d58685d3b88bcb9a276b3e0277a
  • 91.232.31.178
  • 95.164.0.223
  • 66.63.187.79
  • 62.113.238.72
  • 62.133.61.95
  • 45.200.185.5
  • 212.237.217.78
  • 192.36.61.122
  • 154.222.245.165
  • 138.124.94.174
  • 138.124.65.53
  • 82.208.23.192
  • https://furqaanenergy.com/wp-includes/Text/November2/Original/CV_Vitaliy_Klymenko_DA.pdf
  • https://furqaanenergy.com/wp-includes/Text/November2/Original/CV_DLymarenko.pdf
  • https://furqaanenergy.com/wp-includes/Text/November2/Load/bShark.exe
  • https://furqaanenergy.com/wp-includes/Text/November2/Load/adobe.exe
  • https://furqaanenergy.com/wp-includes/Text/November2/Content/CV_Vitaliy_Klymenko_DA.html
  • https://furqaanenergy.com/wp-includes/Text/November/Original/CV_Vitaliy_Klymenko_DA.pdf
  • https://furqaanenergy.com/wp-includes/Text/November/Original/CV_DLymarenko.pdf
  • https://furqaanenergy.com/wp-includes/Text/November/Load/bShark.exe
  • https://furqaanenergy.com/wp-includes/Text/November/Load/adobe.exe
  • https://furqaanenergy.com/wp-includes/Text/November/Content/CV_DLymarenko.html
  • https://femundengerdal.no/wp-content/content/December/Original/Sample_Mugnaioni_Mil_Audit.pdf
  • https://femundengerdal.no/wp-content/content/December/Original/SSU/1/DOG_2210_GPL.pdf
  • https://femundengerdal.no/wp-content/content/December/Load/sysupdapp.exe
  • https://femundengerdal.no/wp-content/content/December/Load/
  • https://documents-reader.com/Sample_Mugnaioni_Mil_Audit.pdf.lnk
  • https://documents-reader.com/Dogovir_Komel-1.pdf.lnk
  • http://protectraid.com/Downloads/Resume.pdf.lnk
  • http://protectraid.com/Downloads/VASY.lnk
  • http://protectraid.com/Downloads/Resume.lnk
  • http://protectconnections.com:443
  • http://helpdesk.katolik.bydgoszcz.pl/eliot.php
  • http://helpdesk.katolik.bydgoszcz.pl/bydgoszcz.php
  • http://gurt.duna.ua/programy-nauczania/arst.dll
  • http://gurt.duna.ua/programy-nauczania/ssowoface.dll
  • http://gurt.duna.ua/programy-nauczania/GTSvitikgasuStage5
  • http://gurt.duna.ua/programy-nauczania/GIEAnnualConferenceStage2
  • http://gieannualconferenceinmunich.com/Downloads/GIE
  • http://gieannualconferenceinmunich.com/Downloads/Agency.pdf
  • http://furqaanenergy.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEK.php
  • http://furqaanenergy.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEKb1.php
  • http://ertel-audit.com/wp-includes/caramel.php
  • http://ertel-audit.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEKb1.php
  • http://ertel-audit.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEK.php
  • http://documents-reader.com/Downloads/
  • http://ertel-audit.com/wp-includes/Zayava_pro_vitik_gasu.pdf
  • http://ertel-audit.com/wp-includes/GIE_Annual_Conference_2024_Participant_Form.pdf
  • http://cdnauthsoft.com:443
  • http://calendar.stib.com.ua/bestone.php
  • http://annualgieconferenceinmunich2024.com/Downloads/zayavka.lnk
  • http://afi-ukraine.org/wp-includes/bestone.php
  • http://adobeprotectcheck.com/Downloads/zayavka.lnk
  • http://66.63.187.79/Downloads/CV_Vitaliy_Klymenko_22.11.2024.pdf.lnk
  • http://66.63.187.79/Downloads/CV_DLymarenko_21.11_3.pdf.lnk
  • gurt.duna.ua
  • helpdesk.katolik.bydgoszcz.pl
  • calendar.stib.com.ua
  • protectraid.com
  • protectconnections.com
  • gieannualconferenceinmunich.com
  • furqaanenergy.com
  • femundengerdal.no
  • ertel-audit.com
  • documents-reader.com
  • documentreader.net
  • cdnauthsoft.com
  • annualgieconferenceinmunich2024.com
  • afi-ukraine.org
  • adobeprotectcheck.com
Download all indicators here!

Attack Patterns

  • PEAKLIGHT
  • CROOKBAG
  • Spark - S0543
  • EMPIREPAST
  • SECONDBEST
  • UAC-0212

Additional Informations

  • Energy
  • Transportation
  • Manufacturing
  • Serbia
  • Ukraine

Linked vulnerabilities

CVE-2024-38213

6.5
    Windows
Published: August 13, 2024