Ukraine warns of massive cyberattack targeting telecommunications

Computer Emergency Response Team of Ukraine (CERT-UA) warns of massive cyberattacks targeting telecom operators. According to the report, CERT-UA received information from a participant in the information exchange about mass emailing between media outlets in Ukraine, including radio stations, newspapers, news agencies, etc. entitled “LIST of links to interactive maps”.

Crescent Imp Malware

The CERT-UA team reports that over 500 destination email addresses have been identified. These emails contain an attached document. Upon opening the attachment, CrescentImp malware download may begin.

Experts warn that cybercriminals are increasingly resorting to email spam from compromised addresses of public institutions.


A report indicates that attackers continue to exploit the vulnerability identified as (CVE-2022-30190) and increasingly use emails from compromised government email addresses.

A remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) is currently identified as CVE-2022-30190. The security issue can be triggered by opening or selecting a specially crafted document and threat actors have been exploiting it in attacks since at least April 2022.

Infection chain dropping CrescentImp malware

Therefore, this activity is tracked by UAC-0113, assigned to the Sandworm group with a medium level of certainty. Notably, this group was involved in coordinating a massive attack on Ukraine’s energy sector in April.

Sandworm is a Russian threat actor associated (in MITER’s ATT&CK catalog) with the Russian military intelligence service GRU and perhaps best known for its role in the 2015 and 2016 cyberattacks against sections of the Ukrainian power grid. This group has also been singled out for the NotPetya pseudo-ransomware attack in 2017 and the Olympic Destroyer incident in 2018.

CERT-UA has provided a set of Indicators of Compromise to help defenders identify CrescentImp infections. Nevertheless, it is not known what type of malware family CrescentImp belongs to or what its functionality is. CERT-UA hashes show no detection at this time on the Virus Total analysis platform.

You can follow us on Linkedin, TwitterFacebook for daily cybersecurity updates.