Cyber crooks benefitting from the war in Ukraine
There is a continuously growing number of threat actors using the war in Ukraine as a lure in phishing and malware campaigns. One example is a cyber crook impersonating military personnel to extort money for rescuing relatives in Ukraine, Billy Leonard from Google’s Threat Analysis Group, reports in a blog post.
He reports that during the last couple of weeks government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.
”Financially motivated and criminal actors are also using current events as a means for targeting users.”
The report includes resent examples:
Curious Gorge, a group TAG attributes to China’s PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.Recently observed IPs used in Curious Gorge campaigns:
- 188.108[.]119
- 216.190[.]58
- 27.186[.]23
- 249.31[.]171
- 154.12[.]167
COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defence contractor.
The report says COLDRIVER campaigns have for the first time been targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence.
”These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.”
Recently observed COLDRIVER credential phishing domains:
- protect-link[.]online
- drive-share[.]live
- protection-office[.]live
- proton-viewer[.]com
Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a ‘Browser in the Browser’ phishing technique. The media picked up on this blog post, publishing several stories highlighting this phishing capability.
Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.
Recently observed Ghostwriter credential phishing domains:
- login-verification[.]top
- login-verify[.]top
- ua-login[.]top
- secure-ua[.]space
- secure-ua[.]top
Moonshot News is an independent European news website for all IT, Media and Advertising professionals, powered by women and with a focus on driving the narrative for diversity, inclusion and gender equality in the industry.
Our mission is to provide top and unbiased information for all professionals and to make sure that women get their fair share of voice in the news and in the spotlight!
We produce original content, news articles, a curated calendar of industry events and a database of women IT, Media and Advertising associations.
