U.S. Cyber Command exposes malware targeting Ukrainian entities

The details are part of an effort to help defend critical infrastructure "and our democratic values and institutions," a spokesperson said.
U.S. Cyber Command
U.S. Cyber Command (Josef Cole/U.S. Cyber Command)

U.S. Cyber Command on Wednesday shared the technical details related to what the agency says are several types of malware targeting Ukrainian entities in recent months.

Ukrainian officials shared the information with the U.S. government, Cyber Command said, and then the agency uploaded various technical details to VirusTotal, Pastebin and GitHub.

The agency did not attribute the malware. But, shortly after the Cyber Command release, cybersecurity firm Mandiant published its own analysis and concluded the activity was “the work of two separate cyber espionage groups.” Those groups — tracked as UNC1151 and UNC2589 — have both been active in targeting Ukraine in multiple operations, Mandiant said.

UNC1151 is thought to be associated with the Belarusian government as part of the ongoing regional disinformation campaign known as Ghostwriter, while UNC2589 is an effort that works in support of Russian government goals, Mandiant said.


Cyber Command said it shared the details as part of an effort to spread awareness.

“[Cyber National Mission Force] is disclosing IOCs in close coordination with our Ukrainian counterparts,” the agency wrote on Pastebin. “The Security Service of Ukraine discovered several types of malware in their country over the last few months, and have analyzed the samples and identified IOCs. The IOCs included 20 novel indicators in various formats.”

In a series of tweets, the agency added that it was sharing the details “to highlight potential compromises & enable collective security.”

A Cyber Command spokesperson told CyberScoop that part of the purpose of sharing the information is “to enable our U.S. government partners, such as DHS and FBI, and industry as well as our international allies and partners to defend critical infrastructure and our democratic values and institutions.”

Earlier Wednesday, Ukraine’s Computer Emergency Response Team (CERT-UA) published a notice about a malicious Microsoft PowerPoint file that, based on “the name and content-bait of the PPT document, we assume that the attack was aimed at state organizations of Ukraine.”


The file sought to load the AgentTesla malware onto target machines, the Ukrainians said. AgentTestla, first identified in 2014, is an information-stealing trojan that’s sold and “distributed across a number of underground hacking forums and platforms,” according to a June 2021 analysis from Blackberry.

The last time Cyber Command shared technical details in this way was in January when it publicly linked the MuddyWater hacking activities to the Iranian Ministry of Intelligence and Security (MOIS).

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts