The investigation of the revealed infrastructure confirmed the targeted nature of attacks against specific regions. Besides the initial attack on email services, the group massively generated certificates for creating fake copies of popular Ukrainian web portals. On one of the identified servers, analysts recorded digital certificates that mimicked mail services I.UA and bigmir)net. Through targeted queries to the infrastructure, an active phishing page was also identified that mimicked the META.UA portal. The combination of this data indicates that the UNC1151 group serially produces fake tools to compromise legitimate European services.
The analysis of the phishing incident proves that modern cybercriminals use complex architectures to scale their attacks and bypass multi-factor authentication. Transitioning from reactive blocking to proactive intelligence creates conditions for rapidly detecting disguised infrastructure arrays. Company iIT Distribution, as a Value Added Distributor, provides expert support in deploying advanced information security solutions, including threat intelligence tools and attack surface management. The iITD team supports projects at every stage, helping partners protect critical credentials and reduce the risks of intelligent cyberattacks.