While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin’s Govt. are ramping up phishing & other attacks against Ukrainian & European targets in cyberspace, Google warns.
Also rising DDoS attacks against Ukrainian sites & phishing activity capitalising on the conflict, with China’s ‘Mustang Panda’ targeting Europe.
Espionage to Phishing Campaigns
Researchers from Google’s Threat Analysis Group (TAG) have seen an increase in activity ranging “from espionage to phishing campaigns” from threat groups known as Fancy Bear/APT28 & Ghostwriter/UNC1151, Shane Huntley, Director of Software Engineering at Google TAG, wrote in a blog post published Mon.
The former has been attributed to Russia’s GRU intelligence agency, & the latter is a player that Ukraine previously stated is part of the Belarusian Ministry of Defence.
Denial-of-Service
Also, there have been a recent number of distributed denial-of-service (DDoS) attacks against Ukrainian Govt. sites, such as the Ministry of Foreign Affairs & the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, states Google TAG.
China’s ‘Mustang Panda’ also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China’s Govt. is one of the few around the world backing Putin in the conflict.
“We’re sharing this information to help raise awareness among the security community and high-risk users,” Huntley wrote.
Fancy Bear
Fancy Bear, the APT behind attacks against the 2020 Tokyo Olympics & elections in the European Union, most recently has been targeting users of ukr.net – owned by the Ukrainian media company URKNet – with “several large credential phishing campaigns,” Huntley wrote.
“The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), & include links to attacker-controlled domains,” states the post.
In 2 recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker controlled Blogspot domains have been taken down, Huntley added.
‘Ghostwriter’
Meanwhile, ‘Ghostwriter’ has conducted similarly motivated phishing campaigns over the past week against Polish & Ukrainian Govt. & military organisations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl & yandex.ru.
Google TAG blocked some credential phishing domains that researchers saw during the campaigns through Google Safe Browsing, states the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space & verify[.]rambler-profile[.]site.
China’s Mustang Panda
China’s Mustang Panda, aka Temp.Hex, HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organisations.
“TAG identified malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’ which contain an executable of the same name that is a basic downloader,” Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.
While Huntley noted that targeted Europe represents a shift for the threat actor – which typically targets entities in SE Asia – Mustang Panda has been active against EU entities before, most notably targeting Rome’s Vatican & Catholic Church-related organisations with a spear-phishing campaign in Sept. 2020.
To mitigate the APT’s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.
DDoS Protection
As APTs step up phishing attacks against Ukrainian targets, key government & service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.
As these attacks are likely to continue, Google has expanded eligibility for Project Shield, the company’s free protection against DDoS attacks, to “Ukrainian govt. websites, embassies worldwide & other govts. in close proximity to the conflict,” Huntley wrote. More than 150 websites in Ukraine, including many news organisations, are currently using the service.
‘Project Shield’
Project Shield lets Google absorb the bad traffic in a DDoS attack so the targeted organisation can continue operating & defend against these attacks, explains the post.
The company is recommending that eligible organisations register for Project Shield in the wake of increased DDoS attack activity, Huntley concluded.
