.jpg "Phishing attack in Ukraine")
Elite hackers associated with Russia’s military intelligence agency have been involved in a massive phishing campaign targeting hundreds of users in Ukraine to extract information and influence public discourse related to the war. I’m here.
Google’s Threat Analysis Group (TAG), which monitors the attacker’s activity under the name FROZENLAKE, said the attack was “focused on targeting webmail users in Eastern Europe in 2022.” said it continues to
This state-backed cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is highly active and skilled. He has been active since at least 2009 and has targeted media, government and military organizations for espionage.
The latest intrusion set, launched in early February 2023, used reflective cross-site scripting (XSS) attacks on various Ukrainian government websites to redirect users to phishing domains and harvest their credentials. I was.
The disclosure comes as UK and US intelligence and law enforcement agencies released a joint advisory alert regarding an APT28 attack exploiting an old known vulnerability in Cisco routers to deploy malware known as Jaguar Tooth. was broken.
FROZENLAKE is not the only Ukraine-focused attacker since the Russian military invasion over a year ago. Another notable hostile group is FROZENBARENTS (aka Sandworm, Seashell Blizzard (formerly Iridium), or Voodoo Bear), an organization affiliated with the Caspian Pipeline Consortium (CPC) and other energy sector entities in Eastern Europe. We are engaged in ongoing efforts to target
Both groups belong to the General Staff Intelligence Directorate (GRU), and APT28 is associated with Military Intelligence Unit 26165 of the 85th Special Service Center (GTsSS). Sandworm, on the other hand, is believed to be part of his GRU’s Unit 74455.
The credential harvesting campaign targeted CPC employees using phishing links delivered via SMS. The attack on Energy Vertical distributed links to fake Windows update packages and eventually ran an information stealer known as Rhadamanthys to steal her passwords and browser cookies.
Dubbed “the most versatile GRU cyber actor,” FROZENBARENTS has also been observed launching credential phishing attacks targeting Ukraine’s defense industry, military, and Ukr.net webmail users starting in early December 2022. increase.
Defending with Deception: Driving Zero Trust Security
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
The threat actor also allegedly created online personas on YouTube, Telegram, and Instagram to spread pro-Russian narratives, leak stolen data from compromised organizations, and post targets for distributed denial of service (DDoS) attacks. It is said
“FROZENBARENTS targets users associated with popular Telegram channels,” said TAG researcher Billy Leonard. “Phishing delivered via email and his SMS, his campaigns impersonated Telegram to steal credentials and sometimes target users following pro-Russian channels.”
A third notable threat actor is PUSHCHA (aka Ghostwriter or UNC1151). A Belarusian government-backed group known to act in the interests of Russia. It siphons your credentials.
Google TAG also highlighted a series of attacks launched by the group behind the Cuban ransomware to deploy the RomCom RAT against the Ukrainian government and military networks.
“This represents a significant change from traditional ransomware operations for this actor, and is behaving more like an attacker conducting information-gathering operations,” noted Leonard. .
