- A growing number of state-linked and criminal threat actors are using Russia’s invasion of Ukraine to launch phishing and malware campaigns against critical infrastructure, government and other targets in Eastern Europe, according to research from Billy Leonard, a security engineer at the Google Threat Analysis Group (TAG).
- Researchers have observed state-backed threat actors from Russia, China, Iran and North Korea using themes related to the Ukraine conflict to entice targeted users to click malicious emails or links, according to Google TAG. Criminal threat actors and others with financial motives are also using current events related to the conflict to target users.
- The threat activity has increased in recent weeks, targeting oil and gas, telecommunications and manufacturing companies, according to researchers. They did not specify specific companies or incidents.
The Google TAG research follows a flurry of activity in recent weeks indicating heightened hybrid attacks linked to the Ukraine invasion.
Microsoft security researchers last week said at least six state-linked actors aligned with Russia had launched 237 attacks since before the invasion. About 40% of the attacks were aimed at critical infrastructure, while 32% of the attacks were aimed at the Ukrainian government on a national, regional or city level, according to a blog post from Tom Burt, corporate vice president, customer security and trust at Microsoft.
The Cybersecurity and Infrastructure Security Agency (CISA) has also updated prior warnings about destructive wiper malware deployed prior to the February invasion. CISA disclosed indicators of compromise and other technical details on the various wipers.
Google TAG is tracking the activity of the following threat actors:
- APT28, or Fancy Bear, a threat actor attributed to the Russian Main Intelligence Directorate, or GRU, has been using a new malware variant against targets in Ukraine. The malware is distributed using password protected zip files and steals cookies and saved passwords from Chrome, Edge and Firefox browsers.
- Turla, a group TAG attributes to the Russian Federal Security Service, is targeting defense and cybersecurity organizations in the Baltics. Attackers emailed a unique link leading to DOCX files hosted by attacker-controlled infrastructure. The DOCX file, when opened, tries to download a unique PNG file from the same domain.
- Coldriver, a Russia-based threat actor also known as Callisto, has sent credential phishing emails to Google and non-Google accounts, according to researchers. The targets include government and defense officials, nongovernmental organizations, journalists and think tanks. Phishing links previously were sent directly in emails, but now are linked to PDFs or DOC files hosted on Google Drive or Microsoft OneDrive.
- Ghostwriter, a threat actor linked to Belarus, has targeted Gmail accounts in credential phishing campaigns against high-risk individuals in Ukraine. Researchers discovered a phishing campaign in mid-April targeting users located mainly in Lithuania.
- Curious Gorge, a threat actor linked to the People’s Liberation Army Strategic Support Force in China, has targeted government, military, logistics and manufacturing in Ukraine, Central Asia and Russia. Researchers say Russian defense contractors and a logistics firm have been compromised in the past week.
In all cases, websites and domains have been added to Google Safe Browsing in order to protect users, according to Google TAG. The group has also sent targeted Gmail and Google Workspace users government-backed attack alerts.