Bitdefender warns Romania targeted by data theft spy group

Bitdefender Labs has issued a warning about an ongoing cyber espionage campaign orchestrated by the UAC-0063 group. Using sophisticated tactics, the attackers are targeting government and diplomatic entities in Central Asia and Europe, including Romania.

Who is UAC-0063 and how do they operate?

UAC-0063 is a group specializing in cyber espionage and stealing sensitive data. Active since 2022, the group initially targeted Central Asia but has now expanded its operations to Europe, including embassies and government institutions in Germany, the Netherlands, the UK, Georgia, and Romania.

The attackers have developed an advanced technique involving compromised Word documents. These files are distributed via phishing emails and contain infected macros. Once activated, the macros install malicious threats on the victim’s devices. In some cases, the attackers have reused authentic documents previously stolen from diplomatic institutions.

How does the attack happen?

1. The attack starts with a phishing email that contains a link to a compromised Word document.
2. Upon opening the file, the user is prompted to enable macros, a social engineering technique suggesting it’s necessary to view the content. Once enabled, the macros trigger the installation of the threat.
3. Once infected, the device begins transmitting data to the attacker’s servers and may be used for further attacks on other targets.

UAC-0063 attacks have been confirmed in Romania, with attempts identified using more sophisticated variants of the malware. On April 4, 2024, a compiled version of this malware, protected by advanced code obfuscation techniques, was detected on a system in Romania.

CERT-UA (Ukraine’s Cyber Incident Response Team) attributes UAC-0063 to the Russian APT28 (BlueDelta) group, though there is no clear technical evidence to confirm this. Despite the similarities in tactics, the connection remains speculative. However, the attacks targeting diplomatic and government entities in regions of interest to Russia raise questions about a potential geopolitical motive behind these operations.

Recommended Protection Measures

To effectively combat cyber threats, both past and future, a multi-layered security strategy is essential.

Prevention:
The first step in reducing attack risk is minimizing exposure. Proactive risk management, including vulnerability assessments and threat scenarios, helps identify and eliminate weaknesses before they can be exploited by attackers like UAC-0063.

Protection:
Implementing multiple layers of security for devices and users significantly complicates attackers’ access. Balancing between blocking dangerous activities and flagging suspicious behavior is crucial to avoid false alerts that could affect system efficiency.

Detection and Rapid Response:
Most modern attacks unfold over several days or weeks, during which attackers expand their access to new systems and data. Research indicates that attackers often leave signals that can be detected. However, two major issues impede effective response:

• Lack of Advanced Monitoring Solutions such as EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response), which can identify and correlate suspicious behaviors, even if not immediately recognized.
• Limited Analysis and Response Capacity: Even when security solutions detect anomalies, security teams must investigate and act quickly. A lack of specialized personnel or resources can cause delays, allowing attackers to continue their operations.

Indicators of Compromise (IOCs):
Appropriate threat intelligence solutions provide crucial information about cyberattacks. Bitdefender IntelliZone is an intuitive platform that centralizes this data and the actors involved, offering security analysts access to advanced malware analysis services. Additional information is structured in the platform under Threat ID BDb3u1e5tx.