Key Points
- MCTO1025 also referred to as UCA- 0050 a cybercrime group conducting sustained year-long campaign targeting Ukraine, Romania, and Moldova from single ASN infrastructure
- Sophisticated social engineering campaigns impersonating Ukrainian and Russian security services, evacuation plans, and military mobilization communications
- Notable compromise of Moldovan TV8 channel used for group self-promotion and disinformation operations in January 2024
- Recruitment campaigns offering "safe passage" to Russia designed to facilitate money mule operations and intelligence gathering
- Malware distribution focuses on commodity Remote Access Trojans including QasarRAT, RemoteUtilities, RemcosRAT, and RuRAT
- Recent campaign evolution includes deployment of AnonVNC loader through Ukrainian Security Service impersonation
Campaign Overview
The Mimecast Threat Research team continues to monitor sustained malicious activity conducted by MCTO1025 since 2023, a cybercrime group that has maintained consistent operations targeting Ukraine and neighbouring countries Romania and Moldova. This operation demonstrates sophisticated understanding of regional geopolitical tensions and leverages conflict-related themes to achieve high victim engagement rates across targeted populations. MCTO1025 operations encompass diverse social engineering approaches designed to exploit the ongoing conflict situation and associated humanitarian concerns.
Campaign themes include impersonation of Ukrainian and Russian security services, distribution of fake airstrike evacuation plans, fraudulent military mobilization communications, and offers of safe passage from conflict zones.
Notable Campaigns in 2024
TV8 Moldova Hack
In early January 2024, Moldovan TV channel TV8's email account was compromised and used to send mail with the subject ''Press Release from TV8 - Пресс - Релиз от телекомпании TV8' offering an interview with the founder of a group. Translated from original Russian, the following explanation appeared on mediacritica.md: [Официальная электронная почта TV8 подверглась кибератаке. Комментарий телеканала - Mediacritica ]
On the night of January 8-9, the official email of TV8 was subjected to a cyber attack. According to the media outlet, the attackers, on behalf of the TV channel, sent a message to several individuals and agencies , stating that a journalist from the editorial office of the Tv8.md website had interviewed the founder of the hacker group DaVinci Group-DVG8873, which positions itself as an " independent cyber force against Ukraine and NATO countries." In a comment for Mediacritica, TV8 editor-in-chief Mariana Rață noted that this is not the first time that Moldovan media have been subjected to cyber attacks.
According to checks carried out by TV8 technical specialists, the attack was carried out from an IP address managed from a host in Amsterdam, the Netherlands. "The owner of the hosting company is the British company Aeza International LTD, founded by a citizen of Kazakhstan - Marat Timurov. Aeza International is one of the most popular hosting companies in Russia and is presented on several specialized sites as a Russian company. TV8 contacted this company with a request to provide information about the users of the IP address from which the cyber attack was carried out, but we have not received a response yet," said Mariana Rață
According to the source, “the same night, the e-mail of the state-owned company Moldelectrica was also subjected to a similar cyberattack. The same text message was sent from the corporate mail of Moldelectrica.”
Online harassment campaigns, hacking of social media accounts, DDoS (Distributed Denial of Service) attacks or phishing are just some of the digital threats that the press in the Republic of Moldova faces, according to a study published by the Independent Journalism Center. Representatives of several media outlets covered by the study noted that in 2023, especially during August and September, their websites were the target of DDoS attacks, causing blockages that lasted from a few minutes to several hours.
SP.md portal manager Veaceslav Perunov confirmed that the media outlet he manages was subjected to DDoS attacks in August 2023, when several media outlets simultaneously experienced this phenomenon. “The site went down, but not for long. Our server coped,” Perunov said. Studio-L portal editor Renata Lupachescu spoke about the attack in September 2023: “We were subjected to a DDoS attack, the site went down and did not work for about four hours, then we solved the problem.” In October-November 2023, Nokta.md was subjected to DDoS attacks four or five times, and TV8 was subjected to such attacks three times
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
