Google TAG warns of UNC5812 Attackers
The security researchers at Google’s renowned Threat Analysis Group, alongside threat intelligence specialists from Mandiant, have confirmed a suspected Russian espionage and influence dual-pronged attack has been underway against both Android and Windows users. Here’s what we know so far.
What We Know About The UNC5812 Cyber Attack
The UNC5812 cyber attack was discovered by Google TAG and Mandiant during September, 2024, and appears to be a hybrid espionage and influence operation carried out by Russian threat actors. Using a Telegram persona identified as “Civil Defense” the threat intelligence analysts said that the campaign was being used to distribute malware to both Android and Windows users under the guise of a free software provider. The nature of that free software being targeted directly at people looking to find potential military recruiters of conscripts in Ukraine. The distribution channel is both via the malicious civil defense Telegram channel and a similarly named website. It is thought that the activation of the Telegram channel in September signaled when the operation went live, with the website domain having been registered earlier in April.
The malware itself is operating-system specific and is delivered alongside what appears to be a decoy application posing as a mapping tool for the aforementioned recruiting locations. “UNC5812 is also actively engaged in influence activity,” a Google TAG spokesperson said, “delivering narratives and soliciting content intended to undermine support for Ukraine’s mobilization efforts.” It is thought that the UNC5812 threat actors are purchasing promoted posts in legitimate and already established Ukrainian-language Telegram channels in order to further spread the influence operation. It would also appear, according to the threat intelligence, that the operation is still ongoing as a Ukrainian-language news channel promoting the posts was seen as recently as October 8th. “The campaign is probably still actively seeking new Ukrainian-language communities for targeted engagement,” Google TAG researchers said.
The Aim Of The Russian Espionage Cyber Attack
The aim of the Telegram-driven campaign itself is to persuade victims to navigate to the website where an assortment of malware for both the Android and Windows operating systems can be downloaded. Android users, meanwhile, are targeted with a commercially available backdoor application known as craxstat. Google TAG analysts said that the website itself includes support for both iOS and macOS malware, but neither of these payloads were available during the analysis operation.
So, how do you prevent getting caught up in this latest threat campaign assuming you have been targeted and got as far as the malware distribution phase? Make sure you are using Google Play Protect, Google’s TAG researchers said. The UNC5812 actors have gone to some length to persuade Android users that they should install the app outside of the App Store and its protections, including justifications for an extensive list of user permissions required, mostly to supposedly protect the security and anonymity of the user, ironically.
“UNC5812’s Civil Defense website specifically included social engineering content and detailed video instructions on how the targeted user should turn off Google Play Protect,” Google TAG said, “Safe Browsing also protects Chrome users on Android by showing them warnings before they visit dangerous sites.” Google’s app scanning infrastructure protects Google Play and powers Verify Apps so as to additionally protect users who might get caught up in a cyber attack such as this one with apps installed from outside of Google Play itself.
