Ukraine Defense Forces Targeted by SPECTR Malware in SickSync Operation

Defense Forces, SickSync Campaign, SPECTR Malware, targets, Ukraine

Title: The Growing Threat of Cyber Attacks on Ukrainian Defense Forces


In recent years, Ukraine has become a prominent target for cyber attacks, particularly aimed at its defense forces. The Computer Emergency Response Team of Ukraine (CERT-UA) has recently issued a warning about a dangerous cyber espionage campaign called SickSync, orchestrated by a threat actor known as UAC-0020, or Vermin. This campaign exploits a malware called SPECTR to infiltrate defense forces and steal sensitive information. This article delves into the details of this campaign and explores the broader landscape of cyber attacks targeting Ukraine’s defense sector.

The SickSync Campaign and the Vermin Group:

The SickSync campaign is the latest operation carried out by the Vermin group, which was previously active in Ukraine. The Vermin group, also known as UAC-0020, emerged in 2015 and has since been involved in various cyber attacks targeting Ukrainian institutions. It is suspected to have ties with the security agencies of the self-declared Luhansk People’s Republic (LPR), a region that sought sovereignty from Ukraine with the support of Russia.

Attack Methodologies:

The Vermin group employs sophisticated attack methodologies to penetrate the defenses of Ukrainian defense forces. The attacks typically begin with spear-phishing emails, which contain a RAR self-extracting archive file. This archive file contains a decoy PDF file, a trojanized version of the SyncThing application, and a batch script to activate the malware. SPECTR, the malware used in this campaign, serves as an information stealer. It captures screenshots, collects files, extracts data from USB drives, and harvests credentials from popular communication applications like Element, Signal, Skype, and Telegram.

Usage of Legitimate Software for Malicious Purposes:

What makes the SickSync campaign particularly concerning is the exploitation of legitimate software for malicious purposes. The Vermin group utilizes SyncThing, a legitimate file synchronization software, to upload stolen documents, files, and passwords from infected computers. By leveraging the standard synchronization functionality of SyncThing, the actors create a peer-to-peer connection between compromised computers, making it harder to detect their activities.

The Resurgence of Vermin:

After a period of relative inactivity, Vermin has resurfaced with the SickSync campaign. In 2022, the group launched phishing campaigns targeting Ukrainian state bodies to distribute the SPECTR malware. However, Vermin’s history traces back even further, with the first public report on their activities dating back to 2018. The group has been using the SPECTR malware since 2019.

Signal Instant Messaging as a Distribution Vector:

In addition to the SickSync campaign, CERT-UA has also warned about social engineering attacks exploiting the Signal instant messaging app. These attacks leverage a remote access trojan called DarkCrystal RAT, or DCRat, and are attributed to an activity cluster known as UAC-0200. This trend highlights a growing reliance on popular messaging platforms to propagate malware and compromise victims.

The GhostWriter Campaign and the Belarusian Connection:

The discovery of the GhostWriter campaign conducted by Belarusian state-sponsored hackers adds another layer of concern to cyber attacks on Ukrainian defense forces. The GhostWriter campaign utilizes booby-trapped Microsoft Excel documents to infiltrate the Ukrainian Ministry of Defense. Upon execution, the Excel document drops an LNK and a DLL loader file, potentially leading to payloads that include AgentTesla, Cobalt Strike beacons, and njRAT.


The recent surge in cyber attacks targeting Ukrainian defense forces is a matter of grave concern. The SickSync campaign, orchestrated by the Vermin group, showcases the sophistication and persistence of threat actors. By leveraging legitimate software for malicious purposes and exploiting popular communication platforms, these actors manage to evade detection and compromise sensitive information.
To counter these threats, it is crucial for Ukrainian defense forces to enhance their cybersecurity measures, including robust training programs, multi-layered defense systems, and closer collaboration with international cybersecurity organizations. Effective defense against cyber attacks is essential to safeguarding national security and maintaining secure digital infrastructures in the face of evolving threats.

Source link

Leave a Comment