Meta (formerly Facebook) claims to have taken down accounts used by a Belarusian-linked hacking gang (UNC1151 or Ghostwriter) on its platform to target Ukrainian authorities and military people. In November 2021, Mandiant security experts established a strong relationship between the UNC1151 threat organization and the Belarusian government and a hacking operation known as Ghostwriter.
Facebook also prohibited multiple phishing sites used by threat actors to try to hack the accounts of Ukrainian users. Meta’s Head of Security Policy Nathaniel Gleicher and Threat Disruption Director David Agranovich said that they discovered attempts on Facebook to target people with YouTube videos depicting the Ukrainian military as weak and surrendering to Russia, including one video purporting to show Ukrainian soldiers emerging from a woodland while waving a white surrender flag.
“We also blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.” Facebook’s security team has protected accounts suspected of being targeted in this effort, and users have been notified of the hacking attempts.
Facebook further shut down a small network of multiple Facebook and Instagram Pages and Groups targeting Ukrainians using false identities on several social media platforms, such as Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki, and VK. This campaign was also responsible for a small number of websites posing as independent news portals and spreading assertions that Ukraine had been betrayed by the West and “being a failed state.”
The Computer Emergency Response Team of Ukraine (CERT-UA) issued a warning on Friday about spearphishing attempts targeting the Ukrainian military’s private email accounts, which Meta’s research validates. These hacked email accounts were then used to send identical phishing messages to the victims’ contacts, threatening to permanently terminate their accounts unless they validated their contact information.
A distinct and ongoing wave of phishing attacks aiming at Ukrainians with malicious documents has been reported by the Ukrainian State Service of Special Communications and Information Protection (SSSCIP). The same day, the Slovak internet security firm ESET published its notice about cybercriminals imitating humanitarian groups to defraud contributors of organizations assisting Ukraine during the war that began on Thursday with Russia’s invasion.
These attacks came after HermeticWiper malware and ransomware decoys wiped data from Ukrainian networks and rendered devices unbootable. When the WhisperGate wiper was used in attacks disguised as ransomware in January, Ukraine was also targeted by data wipes.