The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of ongoing attempts by unknown threat actors to impersonate the cybersecurity agency by sending AnyDesk connection requests.
The AnyDesk requests claim to be for conducting an audit to assess the “level of security,” CERT-UA added, cautioning organizations to be on the lookout for such social engineering attempts that seek to exploit user trust.
“It is important to note that CERT-UA may, under certain circumstances, use remote access software such as AnyDesk,” CERT-UA said. “However, such actions are taken only after prior agreement with the owners of objects of cyber defense through officially approved communication channels.”
However, for this attack to succeed, it’s necessary that the AnyDesk remote access software is installed and operational on the target’s computer. It also requires the attacker to be in possession of the target’s AnyDesk identifier, suggesting that they may have to first obtain the identifier through other methods.
To mitigate the risk posed by these attacks, it’s essential that remote access programs are enabled only for the duration of their use and the remote access is coordinated through official communication channels.
News of the campaign comes as Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) revealed that the cyber agency’s incident response center detected over 1,042 incidents in 2024, with malicious code and intrusion efforts accounting for more than 75% of all the events.
“In 2024, the most active cyber threat clusters were UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, financial theft, and information-psychological operations,” the SSSCIP said.
UAC-0010, also known as Aqua Blizzard and Gamaredon, is estimated to be behind 277 incidents. UAC-0050 and UAC-0006 have been found to be linked to 99 and 174 incidents, respectively.
The development also follows the discovery of 24 previously unreported .shop top-level domains likely associated with the pro-Russian hacking group known as GhostWriter (aka TA445, UAC-0057, and UNC1151) by connecting disparate campaigns targeting Ukraine last year.
An analysis undertaken by security researcher Will Thomas (@BushidoToken) found that the domains used in these campaigns used the same generic top-level domain (gTLD), the PublicDomainsRegistry registrar, and Cloudflare name servers. All the identified servers also have a robots.txt directory configured.
As the Russo-Ukrainian war approaches the end of its third year, cyber-attacks have also been recorded against Russia with an aim to steal sensitive data and disrupt business operations by deploying ransomware.
Last week, cybersecurity company F.A.C.C.T. attributed the Sticky Werewolf actor to a spear-phishing campaign directed against Russian research and production enterprises to deliver a remote access trojan known as Ozone that’s capable of granting remote access to infected Windows systems.
It also described Sticky Werewolf as a pro-Ukrainian cyberspy group that mainly singles out state institutions, research institutes, and industrial enterprises in Russia. However, a previous analysis from Israeli cybersecurity company Morphisec pointed out that this connection “remains uncertain.”
It’s not known how successful these attacks were. Some of the other threat activity clusters that have been observed targeting Russian entities in recent months include Core Werewolf, Venture Wolf, and Paper Werewolf (aka GOFFEE), the last of which has leveraged a malicious IIS module called Owowa to facilitate credential theft.
