Last Updated on 08/03/2022 by Nidhi Khandelwal
During Russia’s invasion of Ukraine, a variety of threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have undertaken phishing efforts against Ukraine, Poland, and other European entities.
The nation-state group FancyBear (aka APT28) – which is ascribed to Russia’s GRU military intelligence – utilized two Blogspot domains as a landing place for its social engineering attacks, according to Google’s Threat Analysis Group (TAG).
The news follows a warning from Ukraine’s Computer Emergency Response Team (CERT-UA) about phishing tactics aimed at Ukr.net users, which entail sending messages from compromised accounts with links to attacker-controlled credential harvesting URLs.
Another cluster of threat activity involves Ukr.net, Yandex.ru, wp.pl, rambler.ru, meta.ua, and i.ua webmail users who have been targeted by phishing assaults by a Belarusian threat actor known as Ghostwriter (aka UNC1151).
According to Shane Huntley, director of Google TAG, the hacker gang also “conducted credential phishing attacks against Polish and Ukrainian government and military entities during the previous week.”
Russia and Belarus aren’t the only ones that have set their sights on Ukraine and Europe. Mustang Panda (aka TA416 or RedDelta), a China-based threat actor, is seeking to infect “selected European companies with lures relating to the Ukrainian invasion,” according to the report.
Proofpoint, an enterprise security firm, independently confirmed the data, including a multi-year TA416 campaign against diplomatic bodies in Europe that began in early November 2021 and included a “person active in refugee and migration services” on February 28, 2022.
The infection sequence involved inserting a malicious URL in a phishing letter sent to a diplomat from a European NATO country, which, when clicked, provided an archive file containing a dropper, which then downloaded a fake document to collect the final-stage PlugX virus.