The DaVinci Group: Russia’s Cyber Mercenaries Target Ukraine
In the shadowy world of cyberwarfare, mercenary groups play a pivotal role. One such group, known as UAC-0050 or “The DaVinci Group,” has emerged as a key player in the ongoing conflict between Russia and Ukraine. Security researcher BushidoToken investigates this group’s modus operandi and its potential ties to the Russian government.
Tactics, Techniques, and Procedures (TTPs)
The DaVinci Group isn’t known for its technological sophistication. They rely on readily available, off-the-shelf malware like Remcos RAT and Venom RAT, along with legitimate remote administration tools. These tactics might seem crude, but they’ve proven operationally effective. What sets The DaVinci Group apart is their brazen disregard for operational security (OPSEC), publicly advertising their services on social media and cybercrime forums.
CERT-UA Exposes the Group
CERT-UA (Computer Emergency Response Team of Ukraine) first highlighted the DaVinci Group in a February 2024 report, linking them to multiple spam campaigns directed at Ukrainian organizations. The group is suspected of acting as an initial access broker (IAB) for more advanced Russian state-sponsored threat actors. While their technical sophistication is limited, relying primarily on commodity malware and legitimate remote administration tools, their operational effectiveness and ties to the Russian government warrant attention.
A History of Malicious Activity
The DaVinci Group has been operating since at least 2017, intensifying its attacks on Ukraine since the Russian invasion began in 2022. Their targets range from government institutions to civilians caught in the crossfire. CERT-UA has tracked over 15 malspam campaigns attributed to the group, often using phishing emails disguised as official communications from Ukrainian authorities.
Investigating the Trail
Image: BushidoToken
CERT-UA’s findings provided pivotal clues, leading investigators directly to The DaVinci Group’s online presence. Notably, the group seems to have mistakenly used their website as a command-and-control (C2) server. From there, it was a simple matter to uncover their services, openly advertised on websites, social media, and cybercrime forums.
Services for Hire
The DaVinci Group is a one-stop shop for cybercrime. Their offerings include:
- Account Hacking: Email, social media, and messaging
- Remote Computer Access
- Denial of Service (DoS) attacks
- Data Deletion
- CCTV Surveillance (in Moscow)
Intriguingly, they offer services that suggest possible insider connections within Russia’s telecommunication companies:
- Mobile Phone Hacking
- Information Retrieval on Individuals
- Law Enforcement Database Access
The DaVinci Group’s brazen self-promotion raises questions about their motivations. Possible explanations include:
- Mercenary Operations: Primarily driven by financial gain, offering services to both cybercriminals and state actors.
- Signaling: Intentional public exposure to attract attention from Russian intelligence services, potentially seeking more substantial contracts.
- Hybrid Goals: Simultaneous pursuit of financial gain and contribution to Russian strategic objectives within the Ukrainian conflict.
The UAC-0050 stands as a stark example of the murky ecosystem where cybercrime and state-sponsored espionage intermingle. While they might be considered low-tier threat actors, their actions have real-world consequences in the ongoing conflict in Ukraine.
