Espionage and phishing campaigns have been linked to Russian and Ukrainian state-backed threat actors
Over the past two weeks, Google’s Threat Analysis Group (TAG) has observed a wide array of malicious cyber activity against Ukrainian targets, which ranges from espionage to phishing campaigns.
One of the most well-known groups whose activity has been observed is FancyBear (APT28). Attributed to Russia’s General Staff Main Intelligence Directorate (GRU), this group has been active since at least 2004, according to MITRE ATT&CK.
Numerous attacks have been attributed to this group – including compromising the DNC and WADA websites, attempts to disrupt elections in the US, France, and the Netherlands, and attacks against Ukrainian artillery. In 2020, the EU and UK have imposed sanctions against group members, over a 2015 attack which targeted the German Parliament.
According to TAG, FancyBear has recently conducted “several large credential phishing campaigns” targeting ukr.net users, a Ukrainian media company. “The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker-controlled domains.”
A second well-known threat group whose activity has been spotted by the Google researchers is Ghostwriter (UNC1151) – which is attributed to Belarus and has been around since at least 2016. According to TAG, over the past week this group has conducted credential phishing campaigns against Polish and Ukrainian government and military organizations.
TAG also noted that it has been observing “DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information.”
On Saturday, Ukraine’s cyber watchdog – the State Service of Special Communications and Information Protection – said that “Russian hackers keep on attacking Ukrainian information resources nonstop since the beginning of the invasion.”
Of course, the Russia-Ukraine cyber war did not start with the Russian invasion. It has been going on for years, at least since Moscow annexed Crimea in 2014. In its report, TAG mentioned over the past 12 months alone it has issued “hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government backed hacking, largely emanating from Russia.”
UKRAINE joins NATO Cyber Defense Centre
Meanwhile, while the potential possibility of Ukraine becoming a member of NATO has been one of the major points of contention as far as Russia is concerned – it was unanimously accepted as a Contributing Participant of the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE). Based in Estonia, this organization had already accepted non-NATO members.
“Ukraine’s presence in the Centre will enhance the exchange of cyber expertise between Ukraine and CCDCOE member nations,” said Jaak Tarien, CCDCOE Director, in an official statement. “Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises and training.”