Security researchers have detected multiple APT campaigns leveraging Ukraine war-themed documents and news sources to lure victims into clicking on spear-phishing links.
Check Point Research said victim locations ranged from South America to the Middle East, with malware downloads designed to perform keylogging and screenshotting and execute commands.
The threat groups in question include El Machete, which is targeting the financial and government sectors in Nicaragua and Venezuela with malicious macro-laden Word documents containing articles on the war.
One of the docs was an article written by the Russian ambassador to Nicaragua titled: “Dark plans of the neo-Nazi regime in Ukraine.”
Another is Lyceum, an Iranian state-linked group targeting the energy sector with emails about war crimes in Ukraine that link to a malicious document hosted elsewhere. Its victims so far have been in Israel and Saudi Arabia, according to Check Point.
One email contained a link to an article from The Guardian hosted on the news spot [.]live domain, alongside several malicious docs about the war.
The last of the three groups is SideWinder, which has been linked to India in the past. Targeting Pakistani victims, its lure is a purported document from the National Institute of Maritime Affairs of Bahria University in Islamabad, titled “Focused Talk on Russian Ukraine Conflict Impact on Pakistan.”
Sergey Shykevich, threat intelligence group manager at Check Point Software, argued that cyber espionage is the likely end goal for the APT groups.
“Our findings reveal a clear trend, that collateral around the war between Russia and Ukraine has become a lure of choice for threat groups worldwide,” he added.
“I strongly recommend governments, banks, and energy companies to reiterate cyber-awareness and education to employees, and to implement cybersecurity solutions that protect the network on all levels.”