Russian Hackers Target Ukrainians via Phishing Attacks
A broad range of threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched phishing campaigns against Ukraine, Poland, and other European entities amid Russia’s invasion of Ukraine.
Google’s Threat Analysis Group (TAG) said it took down two Blogspot domains that were used by the nation-state group FancyBear (aka APT28) – which is attributed to Russia’s GRU military intelligence – as a landing page for its social engineering attacks.
The disclosure comes close on the heels of an advisory from the Computer Emergency Response Team of Ukraine (CERT-UA) warning of phishing campaigns targeting Ukr.net users that involve sending messages from compromised accounts containing links to attacker-controlled credential harvesting pages.
Another cluster of threat activity concerns webmail users of Ukr.net, Yandex.ru, wp.pl, rambler.ru, meta.ua, and i.ua, who have been at the receiving end of phishing attacks by a Belarusian threat actor tracked as Ghostwriter (aka UNC1151).
Hackers Try to Target European Officials to Get Info on Ukrainian Refugees, Supplies
The hacking group also “conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations,” Shane Huntley, director of Google TAG, said in a report.
But it’s not just Russia and Belarus who have set their sights on Ukraine and Europe. Included in the mix is a China-based threat actor known as Mustang Panda (aka TA416 or RedDelta) attempting to plant malware in “targeted European entities with lures related to the Ukrainian invasion.”
Separately, CERT-UA disclosed details of a cyber attack undertaken by the UNC1151 group aimed at Ukrainian state organizations using a malware called MicroBackdoor that’s delivered to compromised systems in the form of Microsoft Compiled HTML Help file (“dovidka.chm”).
The findings were also separately corroborated by enterprise security firm Proofpoint, which detailed a multi-year TA416 campaign against diplomatic entities in Europe starting in early November 2021, counting an “individual involved in refugee and migrant services” on February 28, 2022.
Russian Hackers Target Ukrainians via Phishing Attacks