Elite hackers associated with Russia’s military intelligence service have been involved in high-volume phishing campaigns targeting hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war
Google’s Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE, said the attacks continue “the group’s 2022 focus on targeting users of webmail in Eastern Europe”.
The state-sponsored cyber actor, also followed by APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit and Sofacy, is very prolific and skilled. It has been active since at least 2009, targeting media, governments and military entities for espionage.
The latest set of intrusions, which began in early February 2023, involved the use of reflected cross scripting (XSS) attacks on several Ukrainian government websites to redirect users to phishing domains and capture your credentials.
The disclosure comes as UK and US law enforcement and intelligence agencies issued a joint warning about APT28 attacks exploiting an old and known vulnerability in Cisco routers to deploy malware known as Jaguar Tooth.
FROZENLAKE is far from the only actor focused on Ukraine since Russia’s military invasion of the country more than a year ago. Another notable adversary group is FROZENBARENTS, also known as Sandworm, Seashell Blizzard (née Iridium), or Voodoo Bear, which has engaged in a sustained effort to target organizations affiliated with the Caspian Pipeline Consortium (CPC) and others entities in the energy sector of Eastern Europe.
Both groups have been attributed to the General Staff Intelligence Directorate (GRU), with APT28 linked to the military intelligence unit 85th Special Service Center (GTsSS) 26165. Sandworm, on the other hand, believed to be part of GRU Unit 74455.
The credential harvesting campaign targeted CPC employees with phishing links sent via SMS. Attacks against the energy vertical distributed links to fake Windows update packages that eventually ran an information stealer known as Rhadamanthys to exfiltrate passwords and browser cookies.
FROZENBARENTS, known as the “most versatile GRU cyber actor”, has also been observed launching phishing attacks targeting the Ukrainian defense industry, military and Ukr.net webmail users in the early of December 2022.
The threat actor is said to have created online personas on YouTube, Telegram and Instagram to spread pro-Russian narratives, leak stolen data from compromised organizations and post targets for distributed denial of service (DDoS) attacks.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“FROZENBARENTS targeted users associated with popular Telegram channels,” said TAG researcher Billy Leonard. “Phishing campaigns sent via email and SMS spoofed Telegram to steal credentials, sometimes targeting users who followed pro-Russian channels.”
A third threat actor of interest is PUSHCHA (aka Ghostwriter or UNC1151), a group backed by the Belarusian government that is known to act on behalf of Russian interests and has carried out phishing attacks aimed at identifying suppliers of Ukrainian webmails such as i.ua and meta. ua to divert credentials.
Finally, Google TAG also highlighted a set of attacks carried out by the group behind the Cuba ransomware to deploy RomCom RAT on Ukrainian government and military networks.
“This represents a big change from this actor’s traditional ransomware operations, behaving more like an actor conducting intelligence-gathering operations,” Leonard noted.
In total, the tech giant’s cybersecurity team, which works to counter hacking and nation-state attacks, said Ukraine was on the receiving end of more than 60 percent of phishing campaigns originating from Russia in the first three months of 2023.
The development also follows a new alert from the UK’s National Cyber Security Center (NCSC) about emerging threats to critical national infrastructure organizations from state-aligned groups, particularly those “sympathetic” to the invasion of ‘Ukraine by Russia.
“These groups are not motivated by financial gain, nor are they subject to state control, so their actions may be less predictable and their targeting broader than traditional cybercrime actors,” the agency said.
Ikaroa, a full-stack tech company, has taken notice of Google TAG’s recent warning of Russian hackers conducting phishing attacks in Ukraine. According to Google TAG, phishing emails are being sent to both individuals and organizations in Ukraine, with the aim of obtaining sensitive data and accessing accounts.
Google TAG’s investigations indicate that the malicious emails contain links taking users to fraudulent websites that are used to collect personal and financial information. Additionally, some of the findings show that the hackers have been successful in gaining credentials to corporate emails.
The tech industry, including Ikaroa, is warning Ukrainians of the potential risk to their data and is encouraging vigilance when opening emails and clicking links. It is important for users to check for signs of potential phishing attacks, such as mismatched URLs, shortened URLs, and suspicious requests for payment.
Ikaroa is working to combat these phishing attacks by providing resources and advice to its customers on how to identify and protect themselves against fraudulent emails. Companies can benefit from implementing authentication measures and procedures, such as two-factor authentication, that can help mitigate their risk.
As the global security landscape continues to evolve and malicious actors continue to believe they are able to exploit vulnerabilities, the tech industry, including Ikaroa is working to help protect those at risk. We urge Ukrainians and organizations to use best practices and heightened vigilance, to help protect themselves from the latest wave of attempts from malicious actors.