Pro-Russian hackers target elected US officials supporting Ukraine

According to researchers at security firm Proofpoint, threat actors aligned with Russia and Belarus are targeting senior U.S. officials elected to support Ukraine, using attacks to attempt to compromise their email accounts. .

The campaign, which also targets officials in European countries, uses malicious JavaScript customized for individual webmail portals belonging to various NATO allies, a report released Thursday by Proofpoint said. increase. A threat actor tracked by Proofpoint since 2021 under the name TA473 employs constant reconnaissance and painstaking investigations to ensure that scripts obtain a target’s usernames, passwords, and other sensitive login credentials. is intended to be stolen by each webmail portal exposed as a target.

tenacious targeting

Proofpoint threat researcher Michael Raggi said in an email: “Since late 2022, TA473 has spent substantial time examining webmail portals of European government agencies and scanning publicly exposed infrastructure for vulnerabilities. Ultimately to allow access to emails of people closely involved in government affairs and relations between Russia and Ukraine. War.”

Raggi declined to identify targets, except that they include elected US officials and staff at the federal level, as well as European institutions. “In several examples of targeted organizations in both the United States and Europe, individuals targeted in these phishing campaigns were vocal supporters of Ukraine in the Russo-Ukrainian war and/or I am involved in initiatives related to Ukrainian assistance in ,” he added. .

Most of the recent attacks Proofpoint observed exploited vulnerabilities in older versions of Zimbra Collaboration, a software package used to host webmail portals. Tracked as CVE-2022-27926 and patched last March, the vulnerability allows an unauthenticated attacker to execute a malicious web script on a server by sending a specially crafted request. It’s a cross-site scripting flaw that allows you to run The attack only works against Zimbra servers that have not yet installed the patch.

The campaign begins by using scanning tools such as Acunetix to identify unpatched portals belonging to interested groups. Members of TA473 deliver phishing emails that claim to contain information of interest to recipients.