Ukraine's DELTA Military System

The Computer Emergency Response Team of Ukraine (CERT-UA) this week disclosed that users of the Delta situational awareness program received phishing emails from a compromised email account belonging to the Ministry of Defense.

The attacks, which have been attributed to a threat cluster dubbed UAC-0142, aimed to infect systems with two pieces of data-stealing malware referred to as FateGrab and StealDeal.

Delta is a cloud-based operational situation display system developed by Aerorozvidka that allows real-time monitoring of troops on the battlefield, making it a lucrative target for threat actors.

The lure messages, which come with fake warnings to update root certificates in the Delta software, carry PDF documents containing links to archive files hosted on a fraudulent Delta domain, ultimately dropping the malware on compromised systems.

Cybersecurity

While FateGrab is mainly designed to exfiltrate files with specific extensions through File Transfer Protocol (FTP), StealDeal singles out web browsers to siphon passwords and other information.

The attack comes days after Ukraine presented the Delta system to the NATO Consultation, Command, and Control Organization (NC3O). It also follows revelations that the Russia-linked Gamaredon group attempted to unsuccessfully infiltrate a large petroleum refining company within a NATO member state in late August 2022.

The Russo-Ukrainian war has prompted Moscow to intensify cyberattacks against Ukraine, relying on a wide range of wiper malware to disrupt critical infrastructure.

Cybersecurity

Ukrainian organizations, in recent months, have also been targeted with RomCom RAT and Vidar stealer, the latter of which has been found to act as a conduit to drop a ransomware strain called Somnia.

Earlier this month, CERT-UA noted that state-owned organizations have been targeted with phishing emails purporting to be from the State Emergency Service of Ukraine and containing weaponzied RAR archives that are engineered to deploy a Delphi-based backdoor named DolphinCape.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.