Ukraine's Government Computer Emergency Response Team (CERT-UA), operating under the State Special Communications Service, has issued a warning regarding multiple incidents where cybercriminals have been impersonating the CERT-UA team by using the AnyDesk remote access software.
In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA. They used the name "CERT. UA," along with its logo and the identifier “1518341498,” which could vary. In their communications, the impersonators stated that they were conducting a “security audit to assess the level of protection.”
The CERT-UA noted that, under certain circumstances, they may indeed use remote access tools, including AnyDesk, but only after prior agreement with the owners of the systems involved, through official communication channels. The activity described in the warning, however, is not linked to any legitimate CERT-UA operations.
The attacks are another example of cybercriminals employing social engineering tactics, exploiting trust and authority to deceive their victims, the authorities said.
The attack strategy relies on two conditions: 1) the cybercriminals have access to the victim’s AnyDesk identifier, and 2) the AnyDesk software is operational on the victim’s machine. It is likely that the AnyDesk identifier was compromised through other means, possibly involving previously authorized remote sessions on other computers.
CERT-UA is urging the public to remain vigilant and follow the following guidelines to protect against such threats:
Any remote access software should only be activated during the specific session in use.
The execution of tasks that involve remote access must be personally coordinated through existing official communication channels.
If any anomalies or suspicious activities are detected, it is important to immediately inform cybersecurity units and, if necessary, CERT-UA to take prompt action.