Google TAG Warns of Russian Hackers Conducting Phishing Assaults in Ukraine

Apr 19, 2023Ravie LakshmananCyber Warfare / Cyber Assault

Phishing Attacks in Ukraine

Elite hackers related to Russia’s military intelligence service have been linked to large-volume phishing campaigns aimed toward lots of of customers in Ukraine to extract intelligence and affect public discourse associated to the warfare.

Google’s Menace Evaluation Group (TAG), which is monitoring the actions of the actor beneath the title FROZENLAKE, stated the assaults proceed the “group’s 2022 deal with focusing on webmail customers in Jap Europe.”

The state-sponsored cyber actor, additionally tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is each extremely lively and proficient. It has been lively since a minimum of 2009, focusing on media, governments, and navy entities for espionage.

The most recent intrusion set, beginning in early February 2023, concerned using mirrored cross-site scripting (XSS) assaults in numerous Ukrainian authorities web sites to redirect customers to phishing domains and seize their credentials.

The disclosure comes as U.Ok. and U.S. intelligence and regulation enforcement businesses launched a joint advisory warning of APT28’s assaults exploiting an previous, identified vulnerability in Cisco routers to deploy malware generally known as Jaguar Tooth.

FROZENLAKE is much from the one actor targeted on Ukraine since Russia’s navy invasion of the nation over a yr in the past. One other notable adversarial collective is FROZENBARENTS – aka Sandworm, Seashell Blizzard (née Iridium), or Voodoo Bear – which has engaged in a sustained effort to focus on organizations affiliated to the Caspian Pipeline Consortium (CPC) and different power sector entities in Jap Europe.

Phishing Attacks in Ukraine

Each teams have been attributed to the Normal Workers Most important Intelligence Directorate (GRU), with APT28 tied to the eighty fifth Particular Service Heart (GTsSS) navy intelligence unit 26165. Sandworm, however, is believed to be a part of GRU’s Unit 74455.

The credential harvesting marketing campaign focused CPC staff with phishing hyperlinks delivered through SMS. The assaults in opposition to the power vertical distributed hyperlinks to faux Home windows replace packages that finally executed an info stealer generally known as Rhadamanthys to exfiltrate passwords and browser cookies.

FROZENBARENTS, dubbed the “most versatile GRU cyber actor,” has additionally been noticed launching credential phishing assaults focusing on the Ukrainian protection business, navy, and Ukr.web webmail customers starting in early December 2022.


Defend with Deception: Advancing Zero Belief Safety

Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be a part of our insightful webinar!

Save My Seat!

The risk actor is alleged to have additional created on-line personas throughout YouTube, Telegram, and Instagram to disseminate pro-Russian narratives, leak knowledge stolen from compromised organizations, and submit targets for distributed denial-of-service (DDoS) assaults.

“FROZENBARENTS has focused customers related to fashionable channels on Telegram,” TAG researcher Billy Leonard stated. “Phishing campaigns delivered through e-mail and SMS spoofed Telegram to steal credentials, typically focusing on customers following pro-Russia channels.”

A 3rd risk actor of curiosity is PUSHCHA (aka Ghostwriter or UNC1151), a Belarusian government-backed group that is identified to behave on behalf of Russian pursuits, its focused phishing assaults singling out Ukrainian webmail suppliers equivalent to and to siphon credentials.

Google TAG additionally highlighted a set of assaults mounted by the group behind Cuba ransomware to deploy RomCom RAT within the Ukrainian authorities and navy networks.

“This represents a big shift from this actor’s conventional ransomware operations, behaving extra equally to an actor conducting operations for intelligence assortment,” Leonard identified.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.