Urgent Alert: UAC-0247 Campaign Targets Hospitals and Governments, Stealing Browser and WhatsApp Data

In an increasingly complex threat landscape, a new and concerning campaign has emerged that demands immediate attention from cybersecurity professionals, particularly those safeguarding critical national infrastructure. A threat cluster, identified as UAC-0247, has been actively compromising the networks of local governments and municipal healthcare institutions in Ukraine since early 2026. This sophisticated operation is not merely focused on data exfiltration; it demonstrates a stealthy persistence aimed at expanding its foothold within compromised environments.

Understanding the UAC-0247 Threat Cluster

The UAC-0247 threat cluster signifies a coordinated and persistent adversary. Their current operational focus highlights a strategic targeting of vulnerable, yet highly critical, sectors. These include local government entities, which often hold sensitive citizen data, and municipal healthcare providers such as clinical hospitals and emergency ambulance services. The compromise of such organizations presents a dual threat: the loss of sensitive patient information and the potential disruption of vital healthcare services.

Tactics and Objectives: Data Exfiltration and Network Persistence

Investigations into the UAC-0247 campaign reveal a clear objective: the theft of sensitive data. Specifically, attackers are observed exfiltrating information from internet browsers, which can include credentials, browsing history, financial details, and other personally identifiable information. Of particular note is the targeting of WhatsApp data, indicating an interest in private communications and contact lists, which could be leveraged for further social engineering or intelligence gathering.

Beyond initial data theft, UAC-0247 exhibits a concerning capability for lateral movement and network expansion. This suggests a desire for long-term access and control, possibly for espionage, sabotage, or future attacks. Their ability to move “quietly” through compromised networks implies advanced persistent threat (APT) characteristics, making detection and eradication challenging without a robust incident response framework.

Impact on Critical Infrastructure

The targeting of healthcare and government sectors poses significant risks:

• Loss of Sensitive Data: Compromised browser and WhatsApp data can expose patient records, government communications, financial information, and personal credentials.
• Disruption of Services: Adversaries maintaining persistence within networks could potentially disrupt critical services, impacting public health and administrative functions.
• Erosion of Trust: Successful breaches can erode public trust in institutions responsible for their well-being and security.
• Espionage and Intelligence Gathering: Access to government and healthcare communications can provide valuable intelligence to malicious actors.

Remediation Actions and Proactive Defenses

Organizations, especially those in government and healthcare sectors, must act decisively to counter the UAC-0247 threat and similar campaigns. Proactive security measures are paramount:

• Endpoint Detection and Response (EDR)/Extended Detection and Response (XDR): Deploy robust EDR/XDR solutions to monitor endpoint activity, detect anomalous behavior, and respond to threats in real-time.
• Multi-Factor Authentication (MFA): Implement MFA for all accounts, especially for access to sensitive systems and applications. This significantly reduces the risk of credential theft leading to unauthorized access.
• Regular Security Awareness Training: Educate employees on phishing, social engineering tactics, and the importance of strong, unique passwords. Emphasize caution with links and attachments from unknown sources.
• Perimeter Security Enhancements: Strengthen firewalls, intrusion detection/prevention systems (IDS/IPS), and email security gateways to filter out malicious traffic and content.
• Patch Management: Maintain a rigorous patch management schedule to ensure all operating systems, applications, and network devices are up-to-date with the latest security patches. This mitigates vulnerabilities that attackers often exploit.
• Network Segmentation: Implement network segmentation to isolate critical systems and data, limiting the lateral movement of attackers if a breach occurs.
• Incident Response Plan: Develop and regularly test a comprehensive incident response plan. This ensures a coordinated and effective response in the event of a security breach.
• Principle of Least Privilege: Enforce the principle of least privilege, granting users only the necessary access required for their roles.
• Data Encryption: Encrypt sensitive data both in transit and at rest to protect it even if exfiltrated.
• Regular Backups: Implement a robust data backup and recovery strategy to ensure business continuity and data availability in case of a ransomware attack or data corruption.

Security Tools for Detection and Mitigation

The following tools can aid in detecting and mitigating threats posed by campaigns like UAC-0247:

Tool Name	Purpose	Link
Microsoft Defender for Endpoint	Advanced EDR capabilities for threat detection and response.	https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-for-endpoint
CrowdStrike Falcon Insight	Cloud-native EDR solution offering endpoint protection, threat intelligence, and response.	https://www.crowdstrike.com/products/endpoint-security/falcon-insight-edr/
Palo Alto Networks Cortex XDR	XDR solution that unifies data from endpoints, networks, and cloud for comprehensive threat detection.	https://www.paloaltonetworks.com/cortex/cortex-xdr
Splunk Enterprise Security	SIEM platform for real-time security monitoring, threat detection, and incident response.	https://www.splunk.com/en_us/software/splunk-enterprise-security.html
Proofpoint Email Security and Protection	Advanced email security gateway for protecting against phishing and malware.	https://www.proofpoint.com/us/products/email-protection

Key Takeaways

The UAC-0247 campaign underscores the persistent and evolving nature of cyber threats against critical infrastructure. The targeting of browser and WhatsApp data, coupled with a focus on network persistence, highlights the need for robust, multi-layered security defenses. Organizations, particularly in the government and healthcare sectors, must prioritize proactive security measures, employee education, and comprehensive incident response planning to protect sensitive data and maintain operational continuity.