Introduction
The Russian threat group UNC5812 is conducting a sophisticated hybrid espionage and influence operation targeting potential Ukrainian military recruits. This campaign involves the use of a spoofed version of the legitimate “Civil Defense” application to distribute information-stealing malware and undermine Ukraine’s mobilization efforts.
Description
Russian threat actors [3] [6] [9], tracked as UNC5812 [1], are executing a hybrid espionage and influence operation aimed at demotivating potential Ukrainian military recruits through a spoofed version of the legitimate “Civil Defense” application. Identified by Google TAG and Mandiant in September 2024 [3], this campaign seeks to undermine Ukraine’s mobilization efforts while distributing information-stealing malware for both Windows and Android devices. The attackers lure potential recruits to download the malicious application from a spoofed website [5], registered in April 2024 [3] [4] [6] [9], which claims to protect user anonymity and security [5]. This website is promoted through a Telegram channel named @civildefensecomua, created on September 10, 2024 [2], which has gained traction by utilizing sponsored posts in popular Ukrainian-language Telegram groups, including one that provides missile alerts to 80,000 subscribers [4].
The channel presents itself as a provider of free software for potential conscripts to view and share crowdsourced locations of military recruiters [2]. However, the displayed locations are fabricated and sourced from the attackers’ command and control infrastructure [5]. The campaign also engages in influence operations by soliciting videos of alleged unfair practices from recruitment centers, including bureaucratic errors and abuses [8], to bolster anti-mobilization narratives and exploit anxieties surrounding conscription. The Civil Defense channel features content and imagery that often aligns with pro-Russian social media, indicating a dual strategy of cyber operations and psychological influence [6]. Instances of cross-posting to accounts linked to Russian diplomatic entities have also been observed.
For Windows users [2] [3] [5] [6], the campaign distributes a PHP-based loader known as Pronsis, which [1] [2] [3] [4] [5] [6] [7] [8] [9], when executed, installs a decoy mapping application called SUNSPINNER alongside a commercially available information stealer known as PURESTEALER [6]. SUNSPINNER mimics the legitimate app’s functionality by displaying crowdsourced markers for military recruiters [5], allowing users to add markers without genuine input. For Android users [2] [3] [6], a malicious APK file attempts to install a variant of the CRAXSRAT backdoor [6], which includes functionalities for file management [6], SMS management [6], and monitoring capabilities [6]. The spoofed Civil Defense website employs social engineering tactics to manipulate user concerns about downloading APKs outside the App Store [5], instructing users on how to disable Google Play Protect [7], which is designed to detect malware [7], while claiming to protect user anonymity and security [5]. Video instructions are also provided to facilitate this process.
To enhance its reach [1], UNC5812 is likely purchasing promoted posts in established Ukrainian-language Telegram channels [1] [3], further amplifying its influence. The markers displayed in the SUNSPINNER app [4], which appear to show real-time locations of recruiters [4], were found to have been added by a single individual on the same day [4], indicating a lack of genuine crowdsourcing [4]. The operation appears to be ongoing [3], with recent activity noted as of October 8, 2024 [3]. In response to these threats, Google has added identified websites and files to Safe Browsing and continuously monitors for Android spyware [9]. Ukraine’s national authorities have also taken measures to disrupt the campaign by blocking access to the actor-controlled website [9]. Overall, UNC5812’s operations reflect a broader trend of Russian threat actors targeting Ukrainian military recruits [9], particularly following changes to Ukraine’s mobilization laws in 2024 [9], exemplifying Russia’s strategy of leveraging cyber capabilities for cognitive influence through messaging apps like Telegram [9]. As long as Telegram remains a vital information source during the war [7], it is likely to continue being a primary channel for Russian-linked espionage and influence operations [7].
Conclusion
The UNC5812 campaign highlights the ongoing threat posed by Russian cyber operations targeting Ukrainian military efforts. The use of spoofed applications and social engineering tactics underscores the sophistication of these operations. Mitigation efforts by Google and Ukrainian authorities, such as blocking malicious websites and monitoring spyware, are crucial in countering these threats. However, as long as platforms like Telegram remain central to information dissemination during the conflict, they will likely continue to be exploited for espionage and influence activities. This situation necessitates ongoing vigilance and adaptive strategies to protect against such hybrid threats.
References
[1] https://arstechnica.com/security/2024/10/kremlin-backed-hackers-have-new-windows-and-android-to-foist-on-ukrainian-foes/
[2] https://thehackernews.com/2024/10/russian-espionage-group-targets.html
[3] https://www.forbes.com/sites/daveywinder/2024/10/28/google-warns-of-new-android-and-windows-cyber-attack-1-thing-stops-it/
[4] https://www.techradar.com/pro/russian-espionage-mission-to-subvert-ukrainian-conscription-uncovered-by-google-tag
[5] https://www.darkreading.com/threat-intelligence/russia-kneecaps-ukraine-army-recruitment-spoofed-civil-defense-app
[6] https://www.infosecurity-magazine.com/news/russian-malware-ukrainian-recruits/
[7] https://cyberscoop.com/suspected-russian-hacking-influence-operations-take-aim-at-ukrainian-military-recruiting/
[8] https://evrimagaci.org/tpg/ukraines-conscription-crisis-faces-cyber-threats-49310
[9] https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives
