A spearphishing attempt targeting private email accounts belonging to Ukrainian military forces personnel was announced today by the Computer Emergency Response Team of Ukraine (CERT-UA). Additional phishing messages are sent to contacts in the victims’ address books using accounts compromised in these cyberattacks.
The phishing emails are coming from two domains (i[.]ua-passport[.]space and id[.]bigmir[.]space), with the former attempting to imitate the i.ua free Internet portal, which has been offering email services to Ukrainians since around 2008. The emails invite recipients to verify their contact information by clicking an attached link to prevent having their email accounts permanently banned.
According to CERT-UA, this continuous phishing effort is tied to the UNC1151 threat group, which Mandiant analysts attributed to the Belarusian government with high confidence in November 2021. Mandiant also discovered evidence linking the UNC1151 operators to the Belarusian military, corroborating CERT-conclusion UA’s that the attackers are military cyberspies and Belarus Ministry of Defense officials.
“The Minsk-based group ‘UNC1151’ is behind these activities. Its members are officers of the Ministry of Defence of the Republic of Belarus,” CERT-UA added. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) also issued a warning today to Ukrainian people about a new active phishing effort attempting to infect them with harmful documents.
According to a separate alert issued by ESET, a Slovak internet security firm, cybercriminals are impersonating humanitarian organizations in an attempt to defraud those who wish to donate to organizations assisting Ukraine during the ongoing conflict, which began with Russia’s attack on Thursday morning. These advancements follow data-wiping attacks against Ukrainian networks, which used the HermeticWiper malware and ransomware decoys to wipe data and render machines unbootable.
After the harmful WhisperGate malware was used in operations targeting Ukraine disguised as ransomware in January, Ukrainian enterprises have been targeted by data wipes for the second time this year. In February, the DDoS and malware attacks on Ukrainian networks coincided with the Security Service of Ukraine’s (SSU) announcement a little over a week ago that the country is being attacked by a “massive wave of hybrid warfare.”