Google: Russia, China, Belarus state hackers target Ukraine, Europe
Google says Russian, Belarusian, and Chinese threat actors targeted Ukrainian and European government and military organizations, as well as individuals, in sweeping phishing campaigns and DDoS attacks.
The company’s Threat Analysis Group (TAG), a dedicated team of security experts that works to defend Google users from state-sponsored attacks, has alerted hundreds of Ukrainians they’ve been targeted.
“In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia,” said Shane Huntley, Google’s TAG lead.
“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns.”
Phishing for European and Ukrainian credentials
For instance, Huntley said that the FancyBear hacking group (aka APT28), part of Russia’s Main Directorate of the General Staff of the Armed Forces (also known as GRU), launched several large-scale credential phishing campaigns using compromised email accounts and redirecting targets to attacker-controlled Blogspot domains.
Belarusian threat actor Ghostwriter (aka UNC1151) was also observed by Google TAG while targeting Polish and Ukrainian military and government organizations during the last seven days.
The Computer Emergency Response Team of Ukraine (CERT-UA) and Facebook previously warned of other phishing campaigns against Ukrainian officials and military personnel, also attributed Ghostwriter hackers (previously linked with high confidence by Mandiant to the Belarusian government).
Cybersecurity firm Proofpoint also spotted spear-phishing attacks targeting European government personnel aiding Ukrainian refugees, a campaign aligned with and likely related to July 2021 phishing attacks also attributed to the Ghostwriter hacking group.
Also Read: 10 Practical Benefits of Managed IT Services
Russia and Belarus are not the only ones attacking Ukrainian and European orgs. Huntley says that China-based hacking group Mustang Panda (aka Temp.Hex and TA416) also switched from regular Southeast Asian targets to European entities, now using phishing lures related to the Ukrainian invasion.
On Monday, Proofpoint revealed that it also detected Mustang Panda phishing activity “targeting European diplomatic entities, including an individual involved in refugee and migrant services.”
DDoS attacks launched from Ukraine and Russia
As BleepingComputer previously reported, this deluge of ongoing attacks has also included DDoS attacks targeting Ukrainian government agencies and state banks, as well as multiple series of destructive malware attacks [1, 2].
Google TAG also detected “DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information”.
To help websites belonging to Ukrainian government websites, embassies worldwide, and other governments stay online throughout these attacks, Google also expanded eligibility for Project Shield, the company’s free protection service against distributed denial-of-service (DDoS) attacks.
According to Google, more than Ukrainian 150 websites, including many news organizations, have registered and are using the service to block incoming DDoS attacks.
Last week, the Russian government also shared a list of over 17,000 IP addresses allegedly used to launch DDoS attacks targeting Russian organizations and their networks.
Ukraine’s Vice Prime Minister Mykhailo Fedorov previously announced the creation of an “IT army” that would support the country’s “fight on the cyber front.”
The creation of the Ukrainian IT Army was prompted by a “massive wave of hybrid warfare,” and it was only revealed after the Defense Ministry of Ukraine began recruiting Ukraine’s underground hacker community to launch cyberattacks against Russia.