Phishing Attacks Target Countries Assisting Ukrainian Refugees

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

A spear-phishing campaign has been targeting European government personnel providing logistics support to Ukrainian refugees.

According to American cybersecurity firm Proofpoint, the attackers use “possibly compromised” email accounts of Ukrainian armed service members to deliver phishing messages.

The researchers said the phishing attacks they observed were only targeting European governmental entities. At the moment, they couldn’t attribute the attacks to a specific state-sponsored hacking group, the researchers added.

“Proofpoint has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine,” they said in a statement.

“The email included a malicious macro attachment, which attempted to download a Lua-based malware dubbed SunSeed, a malware downloader that can be used to deliver second-stage payloads to compromised devices.”

Based on the infection chain, however, the researchers said the campaign tracked as Asylum Ambuscade aligns and is likely related to July 2021 phishing attacks linked to the Ghostwriter Belarusian threat group (also tracked as TA445 or UNC1151).

Ghostwriter was linked with high confidence in November by Mandiant security researchers to the Belarusian government. Since Russia invaded Ukraine on Feb. 24, this threat group has also been linked to other attacks against Ukrainians.

For example, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of Ghostwriter operators attempting to breach the private email accounts of Ukrainian military personnel and “related individuals” to deliver phishing messages to their contacts.

On Feb. 27, Meta said that it also took down accounts used by GhostWriter to target Ukrainian officials and military personnel on Facebook. It also blocked phishing domains on the platform used to try and compromise the accounts of Ukrainian users.

“This activity, independent of attribution conclusions, represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine,” the Proofpoint researchers concluded.

“Additionally, the possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarussian-state techniques.”

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.

Leave a Comment