Ukrainian Cyber Alliance (UCA) is a pro-Ukraine hacktivist collective founded in 2016. The content describes it as a volunteer, non-governmental network of cyber activists defending Ukraine’s cyberspace against Russian aggression, while also noting it has worked sporadically for Ukrainian armed forces and intelligence services. Known aliases in the content include UCA, UAC, and Ukrainian Cyber Alliance. One article states the collective includes four groups—CyberHunta, Falcons Flame, Trinity, and RUH8—and that when operating together they use the Ukrainian Cyber Alliance name. The group’s stated mission in the content is to expose Russian meddling in Ukraine and conduct operations against Russian and pro-Russian targets. Reported targets include Kremlin aide Vladislav Surkov, the Russian State Duma, the Russian Ministry of Defense, separatist entities in Donetsk, Russian internet service provider Nodex, Russian postal operator Donbas Post, Russian drone manufacturer Gaskar Group, and the Trigona ransomware operation. The content also says UCA has claimed attacks affecting parking operations and industrial environments. Techniques and tradecraft directly mentioned in the content include spear-phishing, malware or other “special software,” exploitation of exposed services, and exploitation of the critical Atlassian Confluence Data Center and Server vulnerability CVE-2023-22515. In the Trigona intrusion, UCA reportedly exploited CVE-2023-22515, established persistence, remained undetected while mapping infrastructure, exfiltrated data from administration panels, victim panels, internal systems, Rocket.Chat, Jira, Confluence, source code repositories, databases, developer environments, and cryptocurrency hot wallets, and then wiped and defaced the ransomware gang’s servers. The content also attributes destructive actions to UCA against Donbas Post and Nodex, including wiping systems, virtual machines, backups, and large volumes of data. The content highlights several notable operations. UCA reportedly leaked more than a gigabyte of emails and documents from Vladislav Surkov, with some analysts and Ukrainian officials assessing portions of the material as authentic. It reportedly hacked and defaced websites linked to the self-proclaimed Donetsk People’s Republic and alleged private Russian military companies, and RUH8 claimed hacks of the Russian State Duma website. More recently, UCA claimed responsibility for taking down Trigona’s ransomware infrastructure and for destructive attacks on Donbas Post. The content also says UCA and BO Team claimed a cyberattack on Gaskar Group that allegedly destroyed terabytes of technical data and disrupted accounting systems, production software, and internet infrastructure. The content consistently portrays UCA as a Ukraine-aligned hacktivist actor operating in the context of the Russia-Ukraine conflict. It is described as distinct from purely state organs, but in some reporting as having at least sporadic cooperation with Ukrainian military or intelligence services.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Geographies tied to known operations.
Attributed origin per open-source reporting.
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as part of the broader Ukraine-aligned cyber ecosystem with capability and precedent to target Russian entities, but not tied by evidence to the specific Bashkortostan dairy incidents.
Group reported as conducting operations against industrial environments.
Destructive cyberattack claimed against Donbas Post, disrupting services and destroying endpoints/VMs and large volumes of data.
Claimed disruptive/wiper-style intrusion against Donbas Post (Russian state-owned postal operator in occupied Donetsk/Luhansk), allegedly wiping >1,000 workstations, ~100 VMs, and dozens of TB of data; activity framed as hacktivism aligned with Ukraine-Russia conflict.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.