A broad range of threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched phishing campaigns against Ukraine, Poland, and other European entities amid Russia’s invasion of Ukraine.
Google’s Threat Analysis Group (TAG) said it took down two Blogspot domains that were used by the nation-state group FancyBear (aka APT28) – which is attributed to Russia’s GRU military intelligence – as a landing page for its social engineering attacks.
The disclosure comes close on the heels of an advisory from the Computer Emergency Response Team of Ukraine (CERT-UA) warning of phishing campaigns targeting Ukr.net users that involve sending messages from compromised accounts containing links to attacker-controlled credential harvesting pages.
Another cluster of threat activity concerns webmail users of Ukr.net, Yandex.ru, wp.pl, rambler.ru, meta.ua, and i.ua, who have been at the receiving end of phishing attacks by a Belarusian threat actor tracked as Ghostwriter (aka UNC1151).
The hacking group also “conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations,” Shane Huntley, director of Google TAG, said in a report.
Separately, CERT-UA disclosed details of a cyber attack undertaken by the UNC1151 group aimed at Ukrainian state organizations using a malware called MicroBackdoor that’s delivered to compromised systems in the form of Microsoft Compiled HTML Help file (“dovidka.chm”).
images from Hacker News