Ukraine’s CERT published a security advisory detailing activities of a suspected Russian threat actor it tracks as UAC-0050 that has been actively targeting Ukrainian organizations.

Initially focused on cyberespionage and information theft, the group has recently shifted toward psychological operations (PSYOPs) under the Fire Cells Group persona. The authorities say that Fire Cells Group is responsible for cyberattacks, bomb threats, contract killings, and property damage across Ukraine.

Ukrainian officials said that UAC-0050 now primarily targets government entities, though it has expanded its reach, stealing money from private companies through hacking campaigns.

The group has been carrying out cyberattacks on financial systems, using sophisticated tools like REMCOS and TEKTONITRMS to gain unauthorized access to accountants' computers.

In September and October 2024 alone, UAC-0050 made at least 30 attempts to steal funds from the accounts of Ukrainian enterprises and private entrepreneurs by manipulating financial transactions in remote banking systems. The sums of these fraudulent transfers varied from tens of thousands to millions of Ukrainian hryvnias, with the time required to carry out the theft ranging from a few hours to several days after initial computer infection. The stolen funds are often converted into cryptocurrency.

Besides Remcos and Tektonitrms, the threat actors employs a variety of information-stealing malware and remote access tools (RATs) such as Meduzastealer, Lummastealer, XenoRAT, SectopRAT, and DarktrackRAT.

To defend against the threat, experts recommend that organizations implement security measures, including enhanced payment verification processes via mobile apps, as well as deploying advanced security protocols such as Software Restriction Policies (SRP) and AppLocker. Companies are also advised to install Endpoint Detection and Response (EDR) systems and ensure up-to-date antivirus software.