Dan Black

Breaching the Battlefield: UNC4221’s Espionage for Military Advantage

With Russia’s war now in its third year, Mandiant has observed Russia’s focus in cyberspace pivot away from disruption as its primary focus toward espionage to provide battlefield advantage to Russia’s conventional forces. While the usual suspects such as APT44 (Sandworm) have received significant attention on this front, one of the most active threat clusters focused on this mission has been UNC4221 – a previously unidentified threat actor that has emerged during the war laser-focused on penetrating the mobile devices and situational awareness platforms used by Ukraine’s military. In this talk, we will explore UNC4221’s efforts to collect battlefield-relevant data through the use of Android malware, phishing operations masquerading as Ukrainian military applications, and operations targeting popular messaging platforms like Telegram and WhatsApp. The sustained focus of these operations indicate their likely role identifying, tracking, and providing intelligence that could potentially lead to follow-on conventional military action.

Dan Black is a cyber threat researcher with an interest in military cyber programs and the evolving character of cyber conflict. He is currently a Manager of Cyber Espionage Analysis at Google Cloud’s Mandiant and a senior researcher with the European Cyber Conflict Research Initiative. Prior to joining Google, Dan was the Deputy Head of NATO’s cyber intelligence unit, leading intelligence production and analysis on cyber threats to the Alliance.