Luke Jenkins

Breaching the Battlefield: UNC4221’s Espionage for Military Advantage

With Russia’s war now in its third year, Mandiant has observed Russia’s focus in cyberspace pivot away from disruption as its primary focus toward espionage to provide battlefield advantage to Russia’s conventional forces. While the usual suspects such as APT44 (Sandworm) have received significant attention on this front, one of the most active threat clusters focused on this mission has been UNC4221 – a previously unidentified threat actor that has emerged during the war laser-focused on penetrating the mobile devices and situational awareness platforms used by Ukraine’s military. In this talk, we will explore UNC4221’s efforts to collect battlefield-relevant data through the use of Android malware, phishing operations masquerading as Ukrainian military applications, and operations targeting popular messaging platforms like Telegram and WhatsApp. The sustained focus of these operations indicate their likely role identifying, tracking, and providing intelligence that could potentially lead to follow-on conventional military action.

Luke Jenkins is a Principal Analyst and technical lead on the Cyber Espionage team at Mandiant, a part of Google Cloud. He specializes in tracking and analyzing Russia-nexus threat actors and leads a team focused on understanding and countering the activities of nation-state actors worldwide. Since early 2022, Luke has concentrated on tracking Russia-nexus threat groups targeting Ukraine and neighboring countries.