North Korean hackers launched espionage campaign against Ukrainian government

State-sponsored hackers from North Korea have targeted several Ukrainian government bodies in a new espionage campaign. The goal is most likely to gather intelligence on the trajectory of the Russian invasion.

The group responsible for launching this campaign is called TA406. The group is known for using spear-phishing attacks to target governments, research centers, think tanks, academic institutions, and media organizations across the globe.

According to cybersecurity firm Proofpoint, TA406 relies on freemail senders spoofing members of think tanks to convince the target to engage with the phishing email. The lure content is based heavily on recent events in Ukrainian domestic politics to trick victims into opening phishing emails.

During an operation in February 2025, the group impersonated a fictitious senior fellow at a think tank called the Royal Institute of Strategic Studies, an organization that has been entirely made up. The email contained a link to a password-protected RAR archive.

Once this file was decrypted and executed, the archive would initiate a chain of infections using PowerShell, allowing the attackers to collect data on the target computer, including IP configuration, file names, disk information, and installed antivirus software.

Researchers believe TA406 has been targeting Ukrainian government entities to collect intelligence to determine whether or not to keep on fighting for the Russian army and to assess the possible outcome of the military conflict.

“North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments. Unlike Russian groups who have likely been tasked with gathering tactical battlefield information of Ukrainian forces in Situ, TA406 has typically focused on more strategic, political intelligence collection efforts,” Proofpoint writes in a blog post.

The cybersecurity firm observed TA406 attempting to gather login credentials by sending fake Microsoft security alert messages to Ukrainian government institutions using Proton Mail accounts.

The messages claimed that the target’s account had unusual sign-in activity from various IP addresses, and requested the target to verify the login attempts. A credential harvesting page couldn’t be recovered, but the tactics, techniques, and procedures (TTPs) align with historical TA406 activity.

The Computer Emergency Response Team of Ukraine (CERT-UA) hasn’t addressed TA406’s espionage campaign publicly.