Attacks with the nascent Wrecksteel malware were disclosed by Ukraine's Computer Emergency Response Team to have been launched by the UAC-0219 hacking operation against the country's government entities and critical infrastructure organizations last month as part of a cyberespionage campaign that commenced last fall, reports The Record, a news site by cybersecurity firm Recorded Future.
Hacked email accounts have been leveraged by UAC-0219 to distribute phishing messages with links redirecting to Google Drive and DropMeFiles that facilitate the execution of a PowerShell script enabling data extraction and screenshot captures, according to CERT-UA. Additional information linking UAC-0219 to a specific country remains lacking but Russia was previously identified as being behind a majority of phishing-based cyberespionage against Ukraine. Ukraine was recently reported by Cisco Talos researchers to have been targeted by Russian state-sponsored cyberespionage operation Gamaredon in a phishing campaign involving troop-related lures while the country's national railway operator Ukrzaliznytsia had its online systems taken down last week by a cyberattack also linked to Russia.
