CERT-UA

CERT-UA

In March 2025, CERT-UA, Ukraine's state computer emergency response team, detected three targeted cyberattacks utilizing WRECKSTEEL malware to exfiltrate sensitive data from government agencies and critical infrastructure. The attacks involved sending spear-phishing emails with malicious links to install VBScript and PowerShell-based versions of the WRECKSTEEL stealer, which searched for and extracted a variety of sensitive file types and took screenshots for reconnaissance and further exploitation. The lack of persistence mechanisms in these tools necessitates immediate reporting of cyber intrusion signs to CERT-UA to initiate protective actions. These incidents underscore the persistent threat landscape facing Ukrainian digital infrastructure in a geopolitically tense environment.

Source: https://securityaffairs.com/176181/cyber-warfare-2/cert-ua-reports-attacks-in-march-2025-targeting-ukrainian-agencies-with-wrecksteel-malware.html

TPRM report: https://scoringcyber.rankiteo.com/company/cert-ua

"id": "cer000040525",
"linkid": "cert-ua",
"type": "Breach",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Public Sector',
                        'location': 'Ukraine',
                        'name': 'Ukrainian Government Agencies and Critical '
                                'Infrastructure',
                        'type': 'Government'}],
 'attack_vector': 'Spear-phishing emails with malicious links',
 'data_breach': {'data_exfiltration': 'Yes',
                 'file_types_exposed': 'Variety of sensitive file types',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive file types and '
                                             'screenshots'},
 'date_detected': 'March 2025',
 'description': "In March 2025, CERT-UA, Ukraine's state computer emergency "
                'response team, detected three targeted cyberattacks utilizing '
                'WRECKSTEEL malware to exfiltrate sensitive data from '
                'government agencies and critical infrastructure. The attacks '
                'involved sending spear-phishing emails with malicious links '
                'to install VBScript and PowerShell-based versions of the '
                'WRECKSTEEL stealer, which searched for and extracted a '
                'variety of sensitive file types and took screenshots for '
                'reconnaissance and further exploitation. The lack of '
                'persistence mechanisms in these tools necessitates immediate '
                'reporting of cyber intrusion signs to CERT-UA to initiate '
                'protective actions. These incidents underscore the persistent '
                'threat landscape facing Ukrainian digital infrastructure in a '
                'geopolitically tense environment.',
 'impact': {'data_compromised': 'Variety of sensitive file types',
            'systems_affected': 'Government agencies and critical '
                                'infrastructure'},
 'initial_access_broker': {'entry_point': 'Spear-phishing emails with '
                                          'malicious links',
                           'high_value_targets': 'Government agencies and '
                                                 'critical infrastructure'},
 'lessons_learned': 'Immediate reporting of cyber intrusion signs to CERT-UA '
                    'is crucial.',
 'motivation': 'Data Exfiltration',
 'post_incident_analysis': {'corrective_actions': 'Immediate reporting and '
                                                  'protective actions',
                            'root_causes': 'Spear-phishing attacks utilizing '
                                           'WRECKSTEEL malware'},
 'recommendations': 'Enhance protective actions and monitoring mechanisms.',
 'references': [{'date_accessed': 'March 2025', 'source': 'CERT-UA'}],
 'response': {'third_party_assistance': 'CERT-UA'},
 'title': 'WRECKSTEEL Malware Attacks on Ukrainian Government Agencies and '
          'Critical Infrastructure',
 'type': 'Cyber Espionage'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.