Advertisement

Suspected Russian hacking, influence operations take aim at Ukrainian military recruiting

Google’s Threat Analysis Group and Mandiant said one group is behind the hybrid campaign that takes aim at both recruits and broader recruiting efforts.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Tankers from the 33rd separate mechanized brigade of the Ukrainian Ground Forces fire with a Leopard 2A4 tank during a field training at an undisclosed location in Ukraine on Oct. 27. (Photo by Genya SAVILOV / AFP)

A suspected Russian group is targeting potential Ukrainian military recruits in an espionage campaign that’s running concurrently with an influence operation designed to undermine Ukraine’s broader military mobilization, according to research published Monday.

The hybrid campaign apparently looks to capitalize on fears about a Ukrainian mobilization law that went into effect this year that lowered the minimum conscription age to 25 and that required all draft-age men to update their personal information with the government, Google’s Threat Analysis Group and Google-owned Mandiant said.

The group, labeled UNC5812, seeks to gain access to the devices of potential Ukrainian recruits, using Windows and Android malware delivered by a Telegram persona named “Civil Defense.” It purports to provide software programs that let potential conscripts look at and share crowdsourced locations of recruiters, the researchers said.

The simultaneous influence operation does things on its Telegram channel like seeking videos from visitors of “unfair actions from territorial recruitment centers.” One such video, allegedly depicting military registration employees beating a man, later was shared by the Russian Embassy in South Africa’s X account.

Advertisement

The researchers first discovered the group’s activity in September, and have shared its information with Ukrainian authorities.

“UNC5812’s hybrid espionage and information operation against potential Ukrainian military recruits is part of a wider spike in operational interest from Russian threat actors following changes made to Ukraine’s national mobilization laws in 2024,” the research states. “In particular, we have seen the targeting of potential military recruits has risen in prominence following the launch of Ukraine’s national digital military ID used to manage the details of those liable for military service and boost recruitment.”

In addition to inducing users into downloading its malware, the Civil Defense website instructs victims on how to disable Google Play Protect, which scans apps and devices for malware — “an unconventional form of social engineering designed to preempt user suspicions,” the researchers noted.

The group also has likely been purchasing promoted posts in authentic Ukrainian-language Telegram channels.

Besides the overlap in Russian government interest in Ukrainian military recruitment and the re-sharing of material on the embassy website, the campaign fits with Russian threat groups’ methods.

Advertisement

“From a tradecraft perspective, UNC5812’s campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia’s war in Ukraine,” the research reads. “We judge that as long as Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity.”

The campaign dovetails into a long pattern of cyber and disinformation operations even before Russia began its invasion of Ukraine in early 2022.

Latest Podcasts