Hackers impersonate Ukraine’s CERT to trick people into allowing computer access

Ukrainian researchers have identified a new cyber campaign in which attackers posed as tech support from Ukraine’s computer emergency response team (CERT-UA) to gain unauthorized access to victims’ devices.

The intruders used AnyDesk, a legitimate remote desktop software, to establish remote access to their computers over the internet, according to CERT-UA’s latest report.

The hackers, whose identities remain unknown, sent connection requests via AnyDesk, claiming they were conducting a “security audit.”

CERT-UA confirmed that, in certain cases, it may use remote access tools like AnyDesk to assist victims in responding to cybersecurity incidents. However, this is done only “with prior agreement and through pre-approved communication channels,” the agency said.

“The attackers are once again using social engineering tactics that rely on trust and exploit authority,” researchers added.

CERT-UA didn’t provide many details about this campaign or the threat actor behind it, but stated that it is likely the victim’s AnyDesk identifier was previously compromised, including on other computers where such remote access was once authorized.

Read More: Russian ransomware hackers increasingly posing as tech support on Microsoft Teams

The hackers, mostly affiliated with Russia, often disguise themselves as Ukrainian state agencies or impersonate official apps and websites to compromise their victims.

In a campaign in December, the Russian state-sponsored threat actor Sandworm targeted Ukrainian soldiers through fraudulent websites that mimicked the official page of a Ukrainian military app.

Earlier last month, suspected Russian hackers targeted Ukrainian military and defense enterprises with phishing emails disguised as invitations to a legitimate defense conference in Kyiv.

The number of cyberattacks targeting Ukraine is growing, according to the latest data. Over the past year, CERT-UA detected more than 4,300 cyber incidents, an increase of nearly 70% compared to the previous year.

The vast majority of incidents involved the spread of malicious software, intrusion attempts and information gathering. The primary initial vector for attacks was the use of compromised accounts and the distribution of malware via email, researchers said.