Cybersecurity officials from the Computer Emergency Response Team of Ukraine (CERT-UA) exposed two new hacking campaigns against targets there this week.
One utilized a phony tax collection document purportedly sent by the national tax agency and the other using a malicious document that discussed the threat of nuclear attack from Russia.
The officials warned that malicious Microsoft Word documents were being distributed by emails supposedly from the State Tax Service of Ukraine.
Once opened, the malware would load a Cobalt Strike Beacon which gives an attacker a connection to target systems and enabling other malicious behavior.
The new hacking campaigns have been linked to a group known as UAC-0098 which has been blamed for other Ukrainian entities in the wake of the Russian invasion on February 24.
The campaigns also show links to TrickBot, a known malware variant associated with various Russian cybercrime groups.
“According to the set of characteristic features, we consider it possible to associate the detected activity with the activities of the APT28 group,” the agency said. APT28, also known as Fancy Bear, is a well-known Russian military intelligence hacking crew.
Ukraine’s State Service of Special Communications and Information Protection said in a statement on its website that the campaign targeted unspecified critical infrastructure within Ukraine.