cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Cyber criminals targeting Telegram accounts, Ukraine warns

Ukraine’s technical security and intelligence service is warning of a new wave of cyber attacks that are aimed at gaining access to users’ Telegram accounts.

user iconReporter
Thu, 07 Apr 2022
expand image

According to a recent State Service of Special Communication and Information Protection (SSSCIP) of Ukraine alert, the criminals sent messages with malicious links to the Telegram website.

“In order to gain unauthorised access to the records, including the possibility to transfer a one-time code from SMS,” the SSSCIP alert read.

The attacks, which have been attributed to a threat cluster called “UAC-0094”, originated with Telegram messages alerting recipients that a login had been detected from a new device located in Russia and urging the users to confirm their accounts by clicking on a link.


The URL, in reality a phishing domain, prompts the victims to enter their phone numbers as well as the one-time passwords sent via SMS that are then used by the threat actors to take over the accounts.

The modus operandi mirrors that of an earlier phishing attack that was disclosed in early March that leveraged compromised inboxes belonging to different Indian entities to send phishing emails to users of Ukr.net to hijack the accounts.

In another social engineering campaign observed by Ukraines Computer Emergency Response Team (CERT-UA), war-related email lures were sent to Ukrainian government agencies to deploy a piece of espionage malware.

The emails come with an HTML file attachment (War Criminals of the Russian Federation.htm), opening this will culminate in the download and execution of a PowerShell-based implant on the infected host.

CERT-UA attributed the attack to Armageddon, a Russia-based threat actor with ties to the Federal Security Service (FSB) that has a history of striking Ukrainian entities since at least 2013.

In February 2022, the hacking group was connected to espionage attacks targeting government, military, non-government organisations (NGOs), judiciary, law enforcement, and non-profit organisations with the main goal of exfiltrating sensitive information.

Armageddon, also known by the moniker Gamaredon, is also believed to have singled out Latvian government officials as part of a related phishing attack towards the end of March 2022, employing war themed RAR archives to deliver malware.

Other phishing campaigns documented by CERT-UA in recent weeks have deployed a variety of malware, including GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, not to mention a Ghostwriter-spearheaded operation to install the Cobalt Strike post-exploitation framework.

The disclosure comes as several advanced persistent threat (APT) groups from Iran, China, North Korea and Russia have capitalised on the ongoing Russia-Ukrainian war as a pretext to backdoor victim networks and stage other malicious activities.

[Related: National data protection safeguards up for consultation under government action plan]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.