Press Release

Russia-aligned cyber espionage attack from FlyingYeti on Ukraine, blocked

Cloudflare’s threat intelligence team – Cloudforce One –  just disclosed a month-long phishing espionage attack targeting Ukraine that was carried out by Russia-aligned threat actor deemed FlyingYeti (FlyingYeti UAC-0149 is known for targeting the Ukrainian military with COOKBOX malware).

 

The campaign leveraged a moratorium on evictions and termination of utility services for unpaid debt introduced by the Ukrainian government. The moratorium ended in January 2024, resulting in significant debt liability and financial stress for Ukrainian citizens. FlyingYeti capitalized on this anxiety by enticing targets to open malicious files via debt-themed lures.

 

Linked here is the full threat brief, with high-level details pasted below.

 

HIGH-LEVEL BACKGROUND: 

  • The Cloudforce One team has been carrying out an investigation on a phishing espionage campaign carried out by the Russia-aligned threat actor FlyingYeti, aimed at Ukraine. FlyingYeti (UAC-0149) is known for targeting the Ukrainian military with COOKBOX malware.

  • The campaign leveraged a moratorium on evictions and termination of utility services for unpaid debt introduced by the Ukrainian government. The moratorium ended in January 2024, resulting in significant debt liability and financial stress for Ukrainian citizens. 

  • The FlyingYeti campaign capitalized on this anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures. 

 

TARGETING DETAILS: 

  • ~94% of targeted devices were located in Ukraine

  • All targeted devices outside of Ukraine were located in NATO countries

  • Many targets connected via Starlink instances located in Ukraine, Poland, and Slovakia

 

OVERARCHING TIMELINE:

  • On April 18, 2024, Cloudforce One detected the Russia-aligned threat actor FlyingYeti preparing to launch a phishing espionage campaign targeting individuals in Ukraine.  

  • The actor used similar Tactics, Techniques, and Procedures (TTPs) as those detailed in Ukrainian CERT’s article on UAC-0149 – a threat group that has primarily targeted Ukrainian government and defense entities with COOKBOX malware since at least the fall of 2023.

  • From mid April to mid May, we observed FlyingYeti conduct reconnaissance activity, create lure content for use in their phishing campaign, and develop various iterations of their malware. We assessed that the threat actor intended to launch their campaign in early May, likely following Orthodox Easter. 

  • After several weeks of monitoring actor reconnaissance and weaponization activity (Cyber Kill Chain Stage 1 and 2), we successfully disrupted FlyingYeti’s operation moments after the final COOKBOX payload was built.

 

COUNTERMEASURES:

  • If opened, the files would result in infection, allowing FlyingYeti to carry out activities like installation of additional payloads and control over the victim system. 

  • Cloudflare countermeasures prolonged FlyingYeti’s operational timeline from days to weeks – in one instance, FlyingYeti spent almost eight hours debugging their code as a result of Cloudflare mitigations. By employing proactive defense measures, we successfully stopped FlyingYeti from achieving their objectives.

  • Cloudflare is notifying Ukraine CERT, NATO, the US government and industry partners, to ensure FlyingYeti’s continued efforts with this campaign are obsolete.