Skip to content

Google confirms Russian, Chinese and Belarusian cyberattacks on Ukraine

  • by
  • 3 min read

Google’s Threat Analysis Group (TAG) has confirmed that Russian, Chinese and Belarusian threat actors are targeting Ukrainian and European government and military organisations in addition to individual citizens using DDoS attacks and phishing campaigns.

Ukraine has seen a significant rise in the number of cyberattacks, especially on government, military and educational organisations. Coordinated attacks took down at least 30 Ukrainian university websites in late February and the attacks haven’t slowed down since. 

“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns”, stated the report published Monday. 

In the News: Ransomware gang breaches 52 critical organisations; FBI issues warning

Phishing for Ukrainians

Russia’s FancyBear, Belarusian Ghostwriter and China-based hacking group MustangPanga have all been detected running campaigns on Ukrainian and Europeans aiding Ukrainian refugees.

FancyBear is a part of Russia’s Main Directorate of the General Staff of the Armed forces, also known as GRU has launched several large-scale credential phishing campaigns using compromised email accounts and are redirecting their targets to rogue Blogspot domains. These attacker-controlled domains have been taken down. 

Google confirms Russian, Chinese and Belarusian cyberattacks on Ukraine
The fake domains set up by FancyBear. | Source: Google TAG

Ghostwriter, also known as UNC1151 was also found to be targetting Polish and Ukrainian military and government organisations in the last seven days. Google TAG also found campaigns targetting webmail users from a number of providers including,, among others. All these domains have been blocked using Google Safe Browsing.

Additionally, cybersecurity firm Proofpoint found spearphishing attacks against European government personnel helping Ukrainian refugees. Based on the infection chain these attacks are also likely related to Ghostwriter’s phishing attacks. 

Finally, there’s the Chinese MustangPanda, also known as Temp.Hex, which targets European entities with phishing attacks related to the Ukrainian invasion. The emails contained malicious zip downloads which when extracted and executed would download a payload. TAG has notified the relevant authorities. 

Proofpoint also reported observing MustangPanda activity on Monday stating that the group is targeting European diplomatic entities, including “an individual involved in refugee and migrant services.”

In the News: CISA orders Firefox patch; adds 11 vulnerabilities to its catalogue

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version