Hacking operation UAC-0125 — which is believed to be associated with Russian state-backed threat group Sandworm — has targeted Ukrainian soldiers using the Army+ military app as part of a new cyberespionage campaign, according to The Record, a news site by cybersecurity firm Recorded Future.
Attacks involved the creation of fraudulent Army+ websites on the serverless Cloudflare Workers platform, which lure targets into downloading a trojanized installer with the Nullsoft Scriptable Install System, which when executed permitted obscured device access, data exfiltration, and further attacks, a report from Ukraine's Military Computer Emergency Response Team revealed. Additional details regarding the intrusion have been kept under wraps. However, Sandworm, also known as APT44, and other Russian threat actors have escalated intrusions aimed at Ukrainian military forces, as evidenced by the recent information-stealing malware attack campaign against military conscripts. Sandworm was also previously reported by Mandiant researchers to have conducted attacks exfiltrating Ukrainian soldiers' Telegram and Signal communications.
