Russian espionage mission to subvert Ukrainian conscription uncovered by Google TAG

News
By published

Anti-conscription messaging lures potential recruits to download malware disguised as a crowd-sourced mapping application

The Civil Defense logo
(Image credit: Google TAG)

Google’s Threat Analysis Group (TAG), alongside Mandiant, has released findings on what it suspects is a Russian espionage and influence campaign designed to demotivate Ukrainian soldiers and infect devices with malware.

The group has been labeled UNC5812, and established themselves as an anti-conscription group called ‘Civil Defense’ that offered apps and software to allow would-be conscripts to view real-time locations of Ukrainian military recruiters.

However, the applications would instead deliver malware alongside a decoy mapping application tracked by Google TAG and Mandiant as SUNSPINNER.

Civil Defense influence campaign

“The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled “Civil Defense” website, which advertises several different software programs for different operating systems. When installed, these programs result in the download of various commodity malware families,” the Google Threat Intelligence blog stated.

The Civil Defense website was established as early as April 2024, however the Telegram account which granted a high through-put of users to the website was only set up in September 2024.

It is understood the group paid for sponsored posts in popular Telegram groups, one of which was used to deliver missile alerts to its 80,000 subscribers.

When users were directed to the website, they were faced with a choice of files aimed at different operating systems that the victims expected to be some form of mapping software for real time updates on the location of Ukrainian military recruiters. Users would instead find their device infected with SUNSPINNER malware and infostealers.

The website also offered justification for the applications not being available through the App Store, stating that by downloading the application through the website, Civil Defense would “protect the anonymity and security” of its users from the App Store. The website also contained video instructions on how to install the applications, and how to disable Google Play Protect.

The Civil Defense telegram page also requested user video submissions of “unfair actions from territorial recruitment centers,” which Civil Defense would post to enhance its anti-conscription messaging and potentially drive more people to download the military recruitment monitoring app.

The SUNSPINNER app consists of a decoy GUI that shows a mapping tool with crowdsourced marker locations for Ukrainian recruiters. While the marker locations look to be legitimate, Google TAG and Mandiant found that the markers were all added by a single person on the same day.

The malware and influence campaign is said to still be underway, with a sponsored post for the group appearing in a Ukrainian news channel as recently as October 8.

More from TechRadar Pro

TOPICS
Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Spyware
Government-linked Italian spyware maker caught distributing malicious Android apps
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Russian criminal gang Star Blizzard found hitting WhatsApp accounts
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
Russia
Major Russian hacking group shifts focus to US and UK targets
Android phone malware
This nasty Android malware is posing as the Telegram Premium app
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
Latest in Pro
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Oracle
Oracle denies data breach after hacker claims to hold six million records
Judge sitting behind laptop in office
A day in the life of an AI-augmented lawyer
Latest in News
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
More about pro
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
Oracle

Oracle denies data breach after hacker claims to hold six million records
A phone showing a ChatGPT app error message

ChatGPT is down for many – here's what's going on
See more latest
Most Popular
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
Surface Laptop 7
Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
vector isometric illustration of a handheld gaming console
SteamOS is about to change handheld gaming PCs as HP finally considers ditching Windows 11
Oracle
Oracle denies data breach after hacker claims to hold six million records
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
De'Longhi Linea Classic espresso machine on kitchen counter with hot and cold coffee drinks
I'm a qualified barista, and De'Longhi's latest espresso machine could be this year's best budget buy for coffee lovers
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations