“In the last 12 months, Threat Analysis Group (TAG) has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia.” wrote Shane Huntley, Google’s TAG lead. TAG has seen activity like espionage to phishing attempts from several threat actors, including FancyBear and Ghostwriter which they monitor regularly and are well-known to law enforcement.
FancyBear also known as APT28 or Sofacy is a nation-state adversary group that has been active since at least 2008 and poses a persistent danger to a wide range of organizations around the world. They use a sophisticated and cross-platform implant to attack aerospace, defense, energy, government, media, and dissidents. Now they are carrying out many large-scale credential phishing attempts targeting media company UkrNet users in Ukraine. A huge number of compromised accounts (non-Gmail/Google) were used to send phishing emails. Users of i.ua, meta.ua, rambler.ru, ukr.net, wp.pl, and yandex.ru webmail have also been targeted.
According to Google TAG, a recent slew of distributed denial-of-service (DDoS) attacks have targeted Ukrainian government sites like the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as critical information-finding services like Liveuamap. According to the report, Google TAG used Google Safe Browsing to block several credential phishing domains that researchers discovered throughout the campaigns. Among the domains were: i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space, and verify[.]rambler-profile[.]site.
a Chinese phishing operation has also joined the fray, focusing on European companies with lures related to the Ukrainian invasion in a new phishing effort. Mustang Panda has been active against EU entities before, most recently targeting Rome’s Vatican and Catholic Church-related organizations with a spearphishing campaign in September 2020. While Huntley noted that targeted Europe represents a shift for the threat actor – which typically targets entities in Southeast Asia – Mustang Panda has been active against EU entities before. TAG discovered malicious attachments with file names like ‘Situation at the EU Borders with Ukraine.zip’ contains a basic downloader that downloads numerous extra files before loading the final payload. TAG notified the appropriate authorities of its findings in order to minimize the potential for harm.
Ukraine’s governmental Computer Emergency Response Team (CERT-UA) took this issue to social media right after the invasion by Russian armed troops to warn Ukrainians about an increase in phishing attempts targeting devices in the country. UA’s cyber security firm ESET has urged the warning outside Ukraine to be aware of phishing attempts linked to the conflict when the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine was giving CERT warnings.
SSSCIP has issued a new warning to Ukrainian businesses asking them to segregate non-critical workstations and servers, upgrade systems and software to the most recent versions, and back up data to external storage.
All qualified organizations are encouraged to sign up for ProjectShield-with-google so that systems can stop assisting these assaults and keep websites up and running. Over 150 websites in Ukraine including numerous journalistic organizations use the service as it stops Google to bring harmful traffic generated by a DDoS assault. The number of people eligible for Project Shield has been increased for free DDoS protection, so that Ukrainian government websites, embassies around the world, and other governments in close proximity to the conflict can stay online, protect themselves, and continue to provide critical services and information.
Montalbano, A. E., & Montalbano, E. (n.d.). Russian apts furiously Phish Ukraine – google. Threatpost English Global threatpostcom. Retrieved March 10, 2022, from https://threatpost.com/russian-apts-phishing-ukraine-google/178819/