State-sponsored threat actors from China, Iran, North Korea, Russia, and Belarus, among others, have exploited Ukrainian war-related topics for their financial benefit.
Criminals are using current events in this war-torn Eastern European country to target their victims.
According to Google's Threat Analysis Group (TAG), one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine.
Government-backed actors and many unattributed hacker groups are tricking targets into opening malicious emails and clicking on malicious links.
Over the past two weeks, TAG has observed three particularly active criminal groups trying to monetize the war in Ukraine.
Curious Gorge, backed by China's People's Liberation Army Strategic Support Force, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.
Russian-based Coldriver (Calisto) has launched credential phishing campaigns, targeting several US-based NGOs and think tanks, the military of a Balkans country, and a Ukraine-based defense contractor.
"However, for the first time, TAG has observed Coldriver campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns," Google noted.
Belarusian threat actor Ghostwriter recently introduced a new capability into their credential phishing campaigns – a 'browser in the browser' phishing technique.
"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites," Google said.
Ghostwriter has also conducted credential phishing campaigns against the Polish and Ukrainian government and military organizations at the beginning of the Russian invasion of Ukraine.
In the last 12 months, Google's Threat Analysis Group has issued hundreds of government-backed attack warnings to Ukrainian users, alerting them that they have been the target of government-backed hacking, mainly emanating from Russia.
FancyBear, a threat actor attributed to the Russian intelligence agency GRU, has conducted several large credential phishing campaigns targeting ukr.net users. UkrNet is a Ukrainian media company.
China-based threat actor Mustang Panda has targeted European entities with lures related to the Ukrainian invasion.
More from Cybernews:
Subscribe to our newsletter