Security News > 2022 > June > Russian hackers start targeting Ukraine with Follina exploits

Ukraine's Computer Emergency Response Team is warning that the Russian hacking group Sandworm may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool currently tracked as CVE-2022-30190.
It is worth noting that Ukraine's agency assesses with medium confidence that behind the malicious activity is the Sandworm hacker group.
CERT-UA says that Russian hackers launched a new malicious email campaign leveraging Follina and targeted more than 500 recipients at various media organizations in Ukraine, including radio stations and newspapers.
Sandworm has been targeting Ukraine constantly over the past few years, and the frequency of attacks increased after the Russian invasion into Ukraine.
In April, it was discovered that Sandworm attempted to take down a large Ukrainian energy provider by targeting its electrical substations with a new variant of the Industroyer malware.
In February, security researchers discovered that Sandworm was the group responsible for creating and operating the Cyclops Blink botnet, a highly persistent malware relying on firmware manipulation.
News URL
Related news
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Top 3 MS Office Exploits Hackers Use in 2025 – Stay Alert! (source)
- Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images (source)
- Russian hackers attack Western military mission using malicious drive (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-01 | CVE-2022-30190 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 0.0 |