A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted.
“Government-backed actors from China, Iran, North Korea, and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” Google Threat Analysis Group (TAG) Billy Leonard said in a report.
“Financially motivated and criminal actors are also using current events as a means for targeting users,” Leonard added.
One notable threat actor is Curious Gorge, which TAG has attributed to China People’s Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics, and manufacturing organizations in Ukraine, Russia, and Central Asia.
Attacks aimed at Russia have singled out several governmental entities, such as the Ministry of Foreign Affairs, with additional compromises impacting Russian defense contractors and manufacturers as well as an unnamed logistics company.
The findings follow disclosures that a China-linked government-sponsored threat actor known as Mustang Panda (aka Bronze President) may have been targeting Russian government officials with an updated version of a remote access trojan called PlugX.
Another set of phishing attacks involved APT28 (aka Fancy Bear) hackers targeting Ukrainian users with a .NET malware that’s capable of stealing cookies and passwords from Chrome, Edge, and Firefox browsers.
Also implicated were Russia-based threat groups, including Turla (aka Venomous Bear) and COLDRIVER (aka Callisto), as well as a Belarusian hacking crew named Ghostwriter in different credentials phishing campaigns targeting defense and cybersecurity organizations in the Baltic region and high-risk individuals in Ukraine.
COLDRIVER, also called Gamaredon, Primitive Bear, Actinium, and Armageddon, has been linked to multiple phishing attacks targeting government officials in Ukraine, besides striking military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations in the country for espionage purposes.
Ghostwriter’s latest attacks directed victims to compromised websites, from where the users were sent to an attacker-controlled web page to harvest their credentials.
IBM Security X-Force connected the intrusions to a threat cluster it’s tracking under the moniker Hive0117.
“The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic, and Industrial sectors,” the company said.
The cyber activity update comes as Microsoft divulged that six different Russia-aligned actors launched at least 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.
The geopolitical tensions and the ensuing military invasion of Ukraine have also fueled an escalation in data wiper attacks intended to cripple mission critical processes and destroy forensic evidence.
You can also read this: Ukraine Warns of Cyberattack Aiming to Hack Users’ Telegram Messenger Accounts