‘Ukraine warns users against cyber attacks’ involving Telegram Messenger

Tech-security and intelligence experts in Ukraine warn of a new wave of cyber attacks targeting Telegram users.

In order to gain unauthorized access to Telegram records, the criminals sent messages with malicious links to the Telegram website, along with the ability to transfer one-time codes from SMS,” Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) reported the breach in an alert.

According to the intelligence community, these attacks are the result of a threat cluster called “UAC-0094,” which involves Telegram messages warning users that a login from a new device in Russia has been detected, and urging them to confirm their accounts by clicking on a link.


In reality, the URL is a phishing domain which prompts victims to enter their mobile phone numbers and one-time passwords sent via SMS, which are then used by the threat actors to gain access to their accounts.

The modus operandi mirrors that of an earlier phishing attack that was disclosed in early March that leveraged compromised inboxes belonging to different Indian entities to send phishing emails to users of to hijack the accounts.

In another social engineering campaign observed by Ukraine’s Computer Emergency Response Team (CERT-UA), war-related email lures were sent to Ukrainian government agencies to deploy a piece of espionage malware.

The emails come with an HTML file attachment (“War Criminals of the Russian Federation.htm”), opening which culminates in the download and execution of a PowerShell-based implant on the infected host.

CERT-UA attributed the attack to Armageddon, a Russia-based threat actor with ties to the Federal Security Service (FSB) that has a history of striking Ukrainian entities since at least 2013.

In February 2022, the hacking group was connected to espionage attacks targeting government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations with the main goal of exfiltrating sensitive information.

Armageddon, also known by the moniker Gamaredon, is also believed to have singled out Latvian government officials as part of a related phishing attack towards the end of March 2022, employing war-themed RAR archives to deliver malware.

Other phishing campaigns documented by CERT-UA in recent weeks have deployed a variety of malware, including GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, not to mention a Ghostwriter-spearheaded operation to install the Cobalt Strike post-exploitation framework.

The disclosure comes as several advanced persistent threat (APT) groups from Iran, China, North Korea, and Russia have capitalized on the ongoing Russo-Ukrainian war as a pretext to backdoor victim networks and stage other malicious activities.

Some sections of this post are sourced from:

Add a Comment

Your email address will not be published. Required fields are marked *