The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has been monitoring the activity of the UAC-0050 group for a long time.
The group’s activities include:
- Information theft (cyber espionage).
- Theft of funds.
- Information and psychological operations under the “brand” of Fire Cells Group.
Attacks on accountants
Thus, during September-October 2024, UAC-0050, as a result of gaining unauthorized access to accountants’ computers using REMCOS/TEKTONITRMS software, at least 30 attempts were made to steal funds from the accounts of Ukrainian enterprises and individual entrepreneurs by generating/forging financial payments through remote banking systems.
The amounts of such payments range from tens of thousands to several million hryvnias, and the time for the theft can be from several days to several hours from the moment of the initial computer damage.
Thus, at least UAC-0006 (since 2013) and UAC-0050 are involved in stealing money from individuals and legal entities. CERT-UA draws attention to the fact that the chain of money theft, in most cases, involves its conversion into cryptocurrency.
A wide range of means
The ability to finance their own crimes contributes to the intensification of cyberattacks and the ability to purchase (including licensed) software tools for the implementation of cyber threats, which explains the use of a wide range of programs, such as: REMCOS, TEKTONITRMS, MEDUZASTEALER, LUMMASTEALER, XENORAT, SECTOPRAT, MARSSTEALER, DARKTRACKRAT, etc.
In addition, it was established that information and psychological operations carried out on behalf of the Fire Cells Group under the guise of disseminating reports of mining of buildings, contract killings or physical damage to property are also part of the UAC-0050 group’s activities.
What to do
In order to counteract this cyber threat, clients of financial institutions should consider the proposed technical methods of verification of actions with payments (creation/modification), in particular, using additional authentication through a mobile application.
If you are an accountant and your work involves the use of remote banking systems, CERT-UA recommends that you refrain from performing financial transactions until you enable additional payment authentication, apply the recommended (standard) protection policies (SRP/AppLocker, etc.) on your computer and install software protection tools (EDR, “antivirus”, etc.).
The post UAC-0050 group attacks accountants to steal funds first appeared on HiTechExpert.top.