Mar 08, 2022Ravie Lakshmanan

A broad vary of menace actors, together with Fancy Bear, Ghostwriter, and Mustang Panda, have launched phishing campaigns towards Ukraine, Poland, and different European entities amid Russia’s invasion of Ukraine.

Google’s Menace Evaluation Group (TAG) mentioned it took down two Blogspot domains that had been utilized by the nation-state group FancyBear (aka APT28) – which is attributed to Russia’s GRU navy intelligence – as a touchdown web page for its social engineering assaults.

The disclosure comes shut on the heels of an advisory from the Laptop Emergency Response Staff of Ukraine (CERT-UA) warning of phishing campaigns focusing on Ukr.internet customers that contain sending messages from compromised accounts containing hyperlinks to attacker-controlled credential harvesting pages.

One other cluster of menace exercise issues webmail customers of Ukr.internet, Yandex.ru, wp.pl, rambler.ru, meta.ua, and that i.ua, who’ve been on the receiving finish of phishing assaults by a Belarusian menace actor tracked as Ghostwriter (aka UNC1151).

The hacking group additionally “performed credential phishing campaigns over the previous week towards Polish and Ukrainian authorities and navy organizations,” Shane Huntley, director of Google TAG, mentioned in a report.

Individually, CERT-UA disclosed particulars of a cyber assault undertaken by the UNC1151 group aimed toward Ukrainian state organizations utilizing a malware referred to as MicroBackdoor that is delivered to compromised programs within the type of Microsoft Compiled HTML Assist file (“dovidka.chm”).

Nevertheless it’s not simply Russia and Belarus who’ve set their sights on Ukraine and Europe. Included within the combine is a China-based menace actor generally known as Mustang Panda (aka TA416 or RedDelta) making an attempt to plant malware in “focused European entities with lures associated to the Ukrainian invasion.”

The findings had been additionally individually corroborated by enterprise safety agency Proofpoint, which detailed a multi-year TA416 marketing campaign towards diplomatic entities in Europe beginning in early November 2021, counting an “particular person concerned in refugee and migrant providers” on February 28, 2022.

The an infection sequence entailed embedding a malicious URL in a phishing message utilizing a compromised e-mail handle of a diplomat from a European NATO nation, which, when clicked, delivered an archive file incorporating a dropper that, in flip, downloaded a decoy doc to retrieve the final-stage PlugX malware.

The disclosures come as a deluge of distributed denial-of-service (DDoS) assaults have bombarded quite a few Ukraine websites, comparable to these related to the Ministry of Protection, Overseas Affairs, Inside Affairs, and providers like Liveuamap.

“Russian hackers carry on attacking Ukrainian info assets nonstop,” the State Service of Particular Communications and Data Safety of Ukraine (SSSCIP) mentioned in a tweet over the weekend.

“Essentially the most highly effective [DDoS] assaults exceeded 100 Gbps at their peak. Regardless of all of the concerned enemy’s assets, the websites of the central governmental our bodies can be found.”

In a associated improvement, the Nameless hacking collective claimed that it took down the web site of the Federal Safety Service of Russia and that it interrupted the stay feeds for a number of Russian TV channels and streaming providers like Wink, Ivi, Russia 24, Channel One, and Moscow 24 to broadcast conflict footage from Ukraine.

The wave of counterattacks towards Russia has been galvanized by the formation of an IT Military, a crowdsourced Ukrainian authorities initiative that is counting on digital warfare to disrupt Russian authorities and navy targets.

The event additionally follows Russia’s choice to ban Fb and throttle different widely-used social media platforms within the nation simply as expertise firms from the U.S. have moved to sever ties with Russia, successfully creating an iron curtain and curbing on-line entry.