Russian hackers target Ukrainians and European allies via phishing attacks


A wide range of malicious actors, including Fancy Bear, Ghostwriter, and Mustang Panda, launched phishing campaigns against Ukraine, Poland, and other European entities as part of Russia’s invasion of Ukraine.

Google’s Threat Analysis Group (TAG) said it removed two Blogspot domains used by nation-state group FancyBear (aka APT28) – which is attributed to Russian military intelligence GRU – as a landing page for its attacks social engineering.

The disclosure follows a notice from the Computer Emergency Response Team of Ukraine (CERT-UA) warning of phishing campaigns targeting users that involve sending messages from accounts compromise that contains links to attacker-controlled credential collection pages.

Another group of threat activity concerns webmail users of,,,, and, which have been the target of phishing attacks by a Belarusian threat actor tracked as Ghostwriter (aka UNC1151).

The hacking group has also “conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations,” Shane Huntley, director of Google TAG, said. noted in a report.

Automatic GitHub backups

But it’s not just Russia and Belarus that have set their sights on Ukraine and Europe. Included in the mix is ​​a China-based threat actor known as Mustang Panda (aka TA416 or RedDelta) that attempts to plant malware in “targeted European entities with decoys related to the Ukrainian invasion.”

The findings were also separately corroborated by enterprise security firm Proofpoint, which detailed a multi-year TA416 campaign against diplomatic entities in Europe beginning in early November 2021, counting an “individual involved in refugee and migrant services” on February 28, 2022.

The infection sequence involved embedding a malicious URL into a phishing message using a compromised email address of a diplomat from a European NATO country, which, when clicked, delivered a file archive incorporating a dropper which in turn downloaded a decoy document to retrieve the last-stage PlugX malware.

The revelations come as a deluge of Distributed Denial of Service (DDoS) attacks have bombarded many Ukrainian sites, such as those associated with the Ministry of Defence, Foreign Affairs, Internal Affairs and services like Liveuamap.

“Russian hackers continue to attack Ukrainian information resources non-stop,” the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said. noted in a tweet this weekend.

Prevent data breaches

“The most powerful [DDoS] attacks exceeded 100 Gbps at their peak. Despite all the enemy’s resources involved, the sites of the central government organs are available.”

In a related development, hacking collective Anonymous claims that it took down the website of the Federal Security Service of Russia and interrupted the live streams of several Russian TV channels and streaming services like Wink, Ivi, Russia 24, Channel One and Moscow 24 for broadcast war footage from Ukraine.

The wave of counterattacks against Russia was galvanized through the formation of a cyber army, a participatory Ukrainian government initiative that leverages digital warfare to disrupt Russian government and military targets.

The development also follows Russia’s move to ban Facebook and strangle other widely used social media platforms in the country, just as US tech companies moved to sever ties with Russia. effectively creation of an iron curtain and reduced online access.


Comments are closed.