Chinese and Belarusian hackers have joined their Russian colleagues to target Ukrainian and European entities as the Ukraine-Russia conflict rages. According to Google’s Threat Analysis Group (TAG), one threat group from the three countries has been identified carrying out phishing campaigns and DDoS attacks against Ukrainian and European targets.
Like the conflict zones in Ukraine, the cybersphere is now lit up with criminal activities that aim to either disrupt the functioning of enemy organizations or carry out cyber espionage. Recently, cybercriminal groups have aligned themselves, some officially and others discreetly, with either Russia or Ukraine.
As it turns out, three known cybercriminals groups, all of which haven’t publicly lent their support to Russia, have been covertly targeting government and military organizations in Ukraine and Europe.
Google hasn’t officially stated whether these attacks are state-sponsored. Still, from what’s known, one of these cybercriminal entities — APT28 or Fancy Bear — is closely affiliated with the Main Intelligence Directorate of the General Staff of the Russian armed forces (GRU).
APT28, also termed STRONTIUM by Microsoft, Pawn Storm by Kaspersky, and Tsar Team by FireEye, was responsible for the cyber espionage campaign that culminated with the compromise of the SolarWinds software supply chain.
The other two groups, Ghostwriter (tracked as UNC1151) and Mustang Panda, are also nation-state entities associated with the Belarusian governmentOpens a new window and the Chinese governmentOpens a new window .
UNC1151 has previously carried out malware-based intrusions, spear phishing, and credential theft attacks against private sector organizations in Ukraine, Lithuania, Latvia, Poland, and Germany. Mandiant noted that their targets also included Belarusian dissidents, media entities, and journalists, especially those involved in 2020 Belarusian protests and political demonstrations.
Mustang Panda, also known as TA416 and RedDelta, is infamous for carrying out cyber espionage operations in Southeast Asian countries. Its activities include successful attacks against over ten Indonesian government bodies, including its primary intelligence service, Badan Intelijen Negara (BIN). In recent days, Mustang Panda’s cyber-espionage operations have shifted westwards.
See More: Ukrainian Government Sites Bombarded with DDoS and Data Wiping Malware Attacks
Rising Phishing Activities in Ukraine and Europe
“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns,†wroteOpens a new window Shane Huntley, the director of TAG at Google.
TAG discovered that Fancy Bear is leveraging compromised email accounts, both Google and non-Google ones, to phish for victims. These emails contain links to attacker-controlled Blogspot domains. They are later redirected to credential phishing pages.
Belarus’ UNC1151 was engaged in credential phishing campaigns against Polish and Ukrainian organizations to get their hands on the credentials of military and government officials. All Ghostwriter attacks unfolded last week, Google said in the blog posted on Monday.
Ukraine’s Computer Emergency Response Team (CERT-UA) had put out an alert on FacebookOpens a new window in the last week of February 2022 against phishing activities by UNC1151. This specific phishing campaign varies from the one Google TAG discovered, although the end goal seems to be the same, i.e., to get access to credentials and sensitive communications.
Meanwhile, Mustang Panda drew targets in by sending malicious zip attachments titled Situation at the EU borders with Ukraine. The file contains an executable that downloads several additional files that load the final payload.
According to Proofpoint, an analysis of Mustang Panda’s latest activities is consistent with its previous operations. “Most recently on February 28, 2022, TA416 began using a compromised email address of a diplomat from a European NATO country to target a different country’s diplomatic offices,†the company notedOpens a new window .
Mustang Panda’s prime targets include diplomats and those working in refugee and migrant services. “The frequency of these campaigns, specifically those against European governments, have increased sharply since Russian troops began amassing on the border of Ukraine,†Proofpoint added.
The attacks were/are clearly an attempt at spying on sensitive information. Whether or not any of these attacks were successful remains unknown. Google TAG said they have blocked identified phishing domains.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!