The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert regarding an ongoing campaign by unknown threat actors attempting to impersonate the cybersecurity agency. The attackers are using social engineering tactics to send fraudulent AnyDesk connection requests under the guise of conducting security audits.

These requests claim to assess the "level of security" for organizations. CERT-UA has cautioned entities to remain vigilant against such attempts, which exploit trust to gain unauthorized access. In its advisory, CERT-UA clarified that while it does occasionally use remote access tools like AnyDesk for legitimate purposes, such actions are strictly pre-arranged with cyber defense object owners through official communication channels.

Mechanics of the Attack

For the attackers' campaign to succeed, the AnyDesk remote access software must already be installed and operational on the targeted device. Furthermore, the attackers require the target’s unique AnyDesk identifier, which they may attempt to acquire through phishing or other deceptive methods. CERT-UA has emphasized the importance of enabling remote access software only when necessary and ensuring all such activities are coordinated via authorized channels to mitigate risks.

Rising Cyber Threats in Ukraine

This alert comes amid reports from Ukraine's State Service for Special Communications and Information Protection (SSSCIP) that the country’s incident response center detected over 1,042 cyber incidents in 2024. Malicious code and intrusion efforts accounted for more than 75% of these incidents. The most active threat clusters observed during the year were UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, financial theft, and information-psychological operations.

UAC-0010, also referred to as Aqua Blizzard and Gamaredon, was linked to 277 incidents, while UAC-0050 and UAC-0006 were associated with 99 and 174 incidents, respectively. These threat actors have demonstrated persistence and sophistication in targeting Ukrainian entities.

Emerging Threats from GhostWriter

Another concerning development involves the discovery of 24 previously unreported .shop top-level domains (TLDs) tied to GhostWriter, a pro-Russian hacking group also known as TA445, UAC-0057, and UNC1151. These domains were connected to various campaigns targeting Ukraine last year. Researcher Will Thomas (@BushidoToken) uncovered that the domains shared the same generic TLD, PublicDomainsRegistry registrar, and Cloudflare name servers. Additionally, all the identified servers were configured with a robots.txt directory.

Retaliatory Cyberattacks Against Russia

As the Russo-Ukrainian war nears the end of its third year, cyberattacks have increasingly targeted Russian entities. These operations aim to steal sensitive data and disrupt business operations through ransomware. Recently, cybersecurity firm F.A.C.C.T. attributed a spear-phishing campaign to the pro-Ukrainian group Sticky Werewolf. This campaign targeted Russian research and production enterprises, delivering a remote access trojan (RAT) known as Ozone. The malware enables remote access to compromised Windows systems.

Sticky Werewolf primarily focuses on state institutions, research facilities, and industrial enterprises in Russia. However, a previous analysis by Israeli cybersecurity company Morphisec noted that the group’s pro-Ukrainian affiliation “remains uncertain.”

Other threat activity clusters observed targeting Russian entities include Core Werewolf, Venture Wolf, and Paper Werewolf (also known as GOFFEE). Paper Werewolf has been linked to credential theft via a malicious IIS module called Owowa.

Conclusion

The ongoing cyber conflict underscores the importance of robust security measures and vigilance. Both Ukraine and Russia have faced escalating cyber threats as part of the broader geopolitical tensions. CERT-UA’s latest advisory highlights the need for organizations to adopt stringent protocols when using remote access tools and to verify the authenticity of requests through official channels. With threat actors becoming more sophisticated, a proactive approach to cybersecurity is critical in mitigating risks and ensuring operational resilience.

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.