The security researchers at Google\u2019s renowned Threat Analysis Group, alongside threat intelligence specialists from Mandiant, have confirmed a suspected Russian espionage and influence dual-pronged attack has been underway against both Android and Windows users. Here\u2019s what we know so far.<\/p>\n
What We Know About The UNC5812 Cyber Attack<\/p>\n
The UNC5812 cyber attack was discovered by Google TAG and Mandiant during September, 2024, and appears to be a hybrid espionage and influence operation carried out by Russian threat actors. Using a Telegram persona identified as \u201cCivil Defense” the threat intelligence analysts said that the campaign was being used to distribute malware to both Android and Windows users under the guise of a free software provider. The nature of that free software being targeted directly at people looking to find potential military recruiters of conscripts in Ukraine. The distribution channel is both via the malicious civil defense Telegram channel and a similarly named website. It is thought that the activation of the Telegram channel in September signaled when the operation went live, with the website domain having been registered earlier in April.<\/p>\n
Naming the group behind the UNC5812 cyber attack as APT29, a Russian state-sponsored threat actor also known less formally as Midnight Blizzard or Cozy Bear, Amazon has confirmed that it has worked behind the scenes to seize the domains used in this campaign. Formerly the technical analysis lead for computer and network intrusion in the Federal Bureau of Investigation\u2019s Cyber Division and a special agent with the Air Force Office of Special Investigations, CJ Moses is now the chief information security officer at Amazon. Writing on LinkedIn, Moses thanked the cyber threat intelligence teams at both Amazon and CERT-UA for their efforts \u201cto make the internet more secure.\u201d APT29 is not to be confused with APT28, known as Fancy Bear, another Russian state-sponsored attack group also currently engaged in targeted anti-Ukraine cyber attack activity.<\/p>\n