The cyber espionage environment in Eastern Europe has significantly shifted in recent years, with an increased level of activity among the various cyber espionage groups operating in the part of the world. One of these groups, UAC‑0102 (also known as GreenCube or UNC3707), also focuses on covert espionage operations for the purposes of gathering intelligence on Ukrainian government and military entities. Although less frequently covered in the media than larger APT groups, UAC‑0102 maintains a reputation for high-impact, low-noise operations with a focus on methods that leverage cloud technologies. In addition, UAC‑0102 has developed a disciplined approach to operations by directing operational efforts towards a relatively small number of well-defined targets.
The intelligence assessment provided in this blog is a completely original, fully cited, and approximately 1000 words long. It contains information about the UAC‑0102 group, what they are doing, the TTPs being employed by UAC‑0102, their previous campaigns, and their recent evolution as a cyber threat actor in 2025.
Introduction: A Quiet but Highly Targeted Actor
Compared with the high-profile ransomware groups or large APT groups, UAC-0102 has a low profile. Although very few campaigns are larger than a couple of dozen events, each campaign tends to target specific organizations, working towards the same geopolitical objectives that Russia has expressed with respect to its interests in Eastern Europe. Campaigns will typically be accomplished through the use of custom phishing schemes, user-defined remote control access methods (aka backdoors), and post-mortem assessments of compromised organizations for intelligence collection rather than disruption.
Because the UAC-0102 group has repeatedly targeted Ukrainian organizations, it has become strongly linked to Russian intelligence. UAC-0102 employs an advanced level of operational security (OPSEC), employs infrastructure rotation and payload staging, and employs these tactics just like a traditional espionage group.
Identity & Motivation
UAC-0102 has been identified by multiple organizations, including CERT-UA, and is often known by multiple names, such as GreenCube and UNC3707. The campaigns completed by UAC-0102 indicate:
– Their primary motivation is espionage as opposed to financial gain.
– Their activities are focused primarily on military, government, and policy-oriented intelligence.
– UAC-0102 prefers a stealthy, methodical approach to infiltrating networks versus a high-volume, aggressive probing method.
Motivational Drivers
Motivational drivers have been identified in four broad areas as suggested by available indicators with regard to UAC-0102. They are;
1. Gathering sensitive State and Military-related information
2. Monitoring Political and Administrative communications
3. Targeting political and administrative entities tied into National Infrastructure/Security frameworks
4. Sustaining long-term persistence on targeted Networks
UAC-0102’s methods of operation are based on a deliberate, well-planned approach that places a high priority on remaining undetected while achieving the objectives of the Operation for as long as possible.
TTPs: How UAC‑0102 Conducts Its Operations
UAC-0102 has derived the bulk of its operational capability through spear phishing techniques, typically setting up multiple custom malware strains dependent on the target organisation for each campaign conducted by UAC-0102. The TTPs employed reflect the Group’s consistency with objectives, as opposed to relying solely upon brute force.
1. Initial Access: Targeted Phishing & Staged Delivery
The attackers send phishing emails designed to look like they are from legitimate governmental sources, and the content of the emails often includes the following type of lures or enticements that are often included in these Phishing attacks:
– Policy documents
– Military Briefings
– Communications
– Fake security alerts.
The Phishing emails often deliver either:
– A document with a malicious macro or exploit stored in it
– A link to a Staging server where the first stage of a Phishing attack is hosted.
The Phishing infrastructure utilized by UAC-0102 is generally short-lived and is designed to limit any digital forensic aspects of the attack.
2. Malware: Lightweight, Customized, and Modular
While the attackers do not use publicly identified Malware, they utilize the following malware components:
– Custom Backdoors for Persistent Access
– Reconnaissance Scripting
– Recon Scripts that allow the operators of UAC-0102 to Obtain System and Networks
– Information Stealers focused on obtaining the Documents, Communications, and Credentials of Victims
– Small Payload Size
– Payloads are in the Obfuscated Form
– Payloads delivered to Victims in Phases
– Payloads are configured using Dynamic Storage from System Administrators.
This modular approach allows the operators of UAC-0102 to Activate Additional Capabilities on a Victim by first Establishing the Strategic Value of the Victim.
3. Persistence and Lateral Movement: Quiet and Methodical
UAC-0102 uses various methods to perform reconnaissance and maintain persistence on networks, including:
1) Using scheduled tasks
2) Using registry run keys
3) Obtaining and using compromised credentials
4) Manipulating remote services to maintain access
Instead of attempting to spread rapidly throughout the environment, UAC-0102 often establishes a set of key systems/locations to act as long-term collection points for data.
4. Command and Control (C2): Cloud-Integrated Stealth
The use of cloud services, cloud storage services, legitimate websites, and encrypted channels of communication to perform Command & Control (C2) operations represents one of the distinguishing characteristics of UAC-0102.
Merging C2 with public-facing cloud services and dynamic DNS domains results in a lower chance of detection by standard types of network detection tools.
Target Profile
UAC-0102’s targets typically consist of high-value strategic targets, including:
- Government Ministries
- Military-affiliated institutions
- Agencies of Public Administration
- Energy, Communication, and Infrastructure sectors
- Non-Governmental Organizations (NGOs)
- Think Tanks related to Ukrainian National Security
Although Ukraine is primarily targeted, some operations by UAC-0102 may also extend into regional organizations involved with defense or policy-making in neighboring countries.
Notable Operations: A Timeline of Activity
Multiple, yet often not explicitly stated, operations indicating UAC-0102’s growth and intent to execute a strategy.
2021–2022: Emergence and Early Reconnaissance Campaigns
Early reconnaissance operations conducted during 2021/2022 suggest the use of governmental impersonation by utilising phishing emails sent to Ukrainian administrative networks.
2023: Development of More Mature Malware Families
The rise of new lightweight backdoor/malware variants from 2023 have seen:
– Better Encryption
– More Reliable C2 Communication
– Broader Reconnaissance Opportunities than previous.
2024: Intensified Targeting During Regional Conflict Escalations
As regional conflicts intensified in 2024, UAC-0102 expanded its targeting efforts against:
– Governmental IT Systems
– Infrastructure Services
– Defense Communications.
Phishing correspondence indicates that UAC-0102 may have received guidance related to political issues just prior to launching some campaigns.
2025: Expanded Use of Modular Tooling & Cloud-Based C2
By the end of 2025, with UAC-0102’s continued use of modularized tooling and increasingly Cloud-based C2, a number of recent campaigns will demonstrate:
– More modularity with backdoors used
– C2 established within Cloud Environment
– Enhanced Obfuscation and Detection Evasion from prior attempts.
All indications point towards UAC-0102 furthering its commitment to develop more resilient and stealth-like capabilities for ongoing operational use.
Recent Developments: Indicators of a More Advanced Operation
The changing nature of UAC-0102 demonstrates how cyber espionage campaigns have changed and become more complex over time through:
– Increased use of cloud-based staging servers
– More professional spearphishing (phishing with accurate contextual information)
– Development of more effective persistence mechanisms that do not depend on the typical registry paths for persistence
– More targeted methods of exfiltrating data to avoid raising flags through spikes in bandwidth usage
These activities increasingly resemble the activities of well-financed Cyber Espionage Organizations.
Conclusion: A High-Priority Espionage Threat in 2025
UAC-0102 is a prime example of a modern espionage threat that exploits stealth over brute force. The ongoing growth in the sophistication of operations, featuring targeted victimology, and the use of cloud-integrated OPSEC, make UAC-0102 a serious threat to the national security and government.
Defensive Recommendations
Organizations at risk should take the following actions:
1. Implement email authentication and anti-phishing measures.
2. Monitor for signs of abnormal cloud access.
3. Implement Behavioral EDRs focusing on script execution.
4. Segment key assets and implement strict access control measures.
5. Conduct regular audits for unauthorized tasks and persistence artifacts.
Due to ongoing Global Geopolitical Tensions and the threat posed by UAC-0102, as the year 2025 approaches, the activity of UAC-0102 will likely increase, emphasising the need for a proactive intelligence-driven defensive posture.
You can download and review the sheet for all the details!
