Google’s Threat Analysis Group (TAG) has confirmed that Russian, Chinese and Belarusian threat actors are targeting Ukrainian and European government and military organisations in addition to individual citizens using DDoS attacks and phishing campaigns.
Ukraine has seen a significant rise in the number of cyberattacks, especially on government, military and educational organisations. Coordinated attacks took down at least 30 Ukrainian university websites in late February and the attacks haven’t slowed down since.
“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns”, stated the report published Monday.
In the News: Ransomware gang breaches 52 critical organisations; FBI issues warning
Phishing for Ukrainians
Russia’s FancyBear, Belarusian Ghostwriter and China-based hacking group MustangPanga have all been detected running campaigns on Ukrainian and Europeans aiding Ukrainian refugees.
FancyBear is a part of Russia’s Main Directorate of the General Staff of the Armed forces, also known as GRU has launched several large-scale credential phishing campaigns using compromised email accounts and are redirecting their targets to rogue Blogspot domains. These attacker-controlled domains have been taken down.
Ghostwriter, also known as UNC1151 was also found to be targetting Polish and Ukrainian military and government organisations in the last seven days. Google TAG also found campaigns targetting webmail users from a number of providers including yandex.ru, wp.pl, meta.ua among others. All these domains have been blocked using Google Safe Browsing.
Additionally, cybersecurity firm Proofpoint found spearphishing attacks against European government personnel helping Ukrainian refugees. Based on the infection chain these attacks are also likely related to Ghostwriter’s phishing attacks.
Finally, there’s the Chinese MustangPanda, also known as Temp.Hex, which targets European entities with phishing attacks related to the Ukrainian invasion. The emails contained malicious zip downloads which when extracted and executed would download a payload. TAG has notified the relevant authorities.
Proofpoint also reported observing MustangPanda activity on Monday stating that the group is targeting European diplomatic entities, including “an individual involved in refugee and migrant services.”
In the News: CISA orders Firefox patch; adds 11 vulnerabilities to its catalogue