Google said Russian, Belarusian, and Chinese threat actors have targeted Ukrainian and European government and military organizations (and individuals) in wide-ranging phishing campaigns and DDoS attacks.
The company’s Threat Analysis Group (TAG), a dedicated team of security experts that works to defend Google users from state-sponsored attacks, has alerted hundreds of Ukrainians that they’ve been targeted.
“In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia,” said Google’s TAG lead Shane Huntley on Monday.
“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns,” he added.
Phishing Campaigns
For example, Huntley said that the FancyBear hacking group (APT28), part of Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), launched several large-scale credential phishing campaigns using compromised email accounts and redirecting targets to attacker-controlled Blogspot domains.
Belarusian threat actor Ghostwriter (UNC1151) was also observed by Google TAG while targeting Polish and Ukrainian military and government organizations over the past week.
The Computer Emergency Response Team of Ukraine (CERT-UA) and Facebook previously warned of other phishing campaigns against Ukrainian officials and military personnel, also attributed to Ghostwriter hackers (previously linked with high confidence by Mandiant to the Belarusian government).
Cybersecurity firm Proofpoint also detected phishing attacks targeting European government personnel assisting Ukrainian refugees, a campaign likely related to July 2021 phishing attacks that were also attributed to the Ghostwriter hacking group.
However, Russia and Belarus are not the only ones targeting Ukrainian and European organizations. Huntley says that China-based hacking group Mustang Panda (Temp.Hex and TA416) also switched from Southeast Asian targets to European entities, currently using phishing lures related to the Ukrainian invasion.
On Monday, Proofpoint said that it also detected Mustang Panda phishing activity “targeting European diplomatic entities, including an individual involved in refugee and migrant services.”
DDoS Attacks
These ongoing cyberattacks have also included DDoS attacks targeting Ukrainian government agencies and state banks, along with multiple series of destructive malware attacks.
Google TAG also detected “DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information.”
Google also expanded eligibility for Project Shield, the company’s free protection service against DDoS attacks, in order to help Ukrainian government websites, embassies worldwide, and other governments stay online during attacks.
According to Google, more than 150 Ukrainian websites, including news organizations, have registered and are using the service to block incoming DDoS attacks.
Last week, the Russian government also shared a list of over 17,000 IP addresses allegedly used to launch DDoS attacks targeting Russian organizations and their networks.