Google’s Threat Analysis Group (TAG) has shared details on cyberattacks against Ukraine and Europe launched by state-backed hacker groups linked to Russia, Belarus, and China.
According to a new report, Russian, Belarusian, and Chinese threat actors targeted Ukrainian and European government and military organizations, as well as individuals, in phishing campaigns.
One of the campaigns, believed to be the work of a Russia-linked threat actor known as FancyBear (APT28), was aimed at users of ukr.net, a news website belonging to UkrNet (a Ukrainian media company). The group is associated with Russian military intelligence agency GRU, and is believed to be responsible for the 2016 Democratic email hacks.
The observed attacks involved phishing emails sent from multiple compromised accounts (non-Gmail/Google) containing a link to an attacker-controlled domains.
“In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. All known attacker-controlled Blogspot domains have been taken down,” Google said.
The TAG team has also detected a phishing campaign launched by a Belarusian threat actor tracked as Ghostwriter and UNC1151. This campaign targeted Polish and Ukrainian government and military organizations. At the beginning of March, Proofpoint researchers disclosed details of another hacking campaign conducted by Ghostwriter, which targeted personnel at European organizations assisting the efforts to aid Ukrainian refugees fleeing the country.
More interestingly, the TAG team has observed a change in behavior of one of the Chinese threat actors, Mustang Panda (Temp.Hex). The group, which previously targeted entities in Southeast Asia, has now switched its focus to European organizations. In a recent campaign, Mustang Panda targeted European entities with lures related to the Ukrainian invasion. Google says that the phishing email contained a zip file with a basic downloader, which, when executed, downloaded several additional files that load the final payload.
Cybersecurity Help’s statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!