Malicious emails have been sent to staff at European government organizations using email addresses that pretend to belong to Ukrainian military personnel. The Russia-Ukraine battle is fought on the ground as well as online, with state-sponsored forces and hacktivists battling for both sides. Distributed denial-of-service (DDoS) attacks, ransomware, data breaches, and disinformation are among the strategies and instruments used in the online conflict.
Shortly after Russia began its operation, the Ukrainian government warned that phishing emails had been sent to Ukrainian military personnel and connected persons’ email accounts. UNC1151, a threat actor previously linked to Belarus and potentially Russia, has been blamed for the attack. UNC1151 specializes in misinformation campaigns.
Proofpoint, which tracks the threat group as TA445, revealed on Wednesday that malicious emails were being sent to European government officials dealing with the Ukrainian immigration situation via a likely hacked email account belonging to a Ukrainian military service member. While Proofpoint has not discovered conclusive proof, the timing and objective of the campaign indicate that the emails addressed to European authorities may be the next step of the phishing attacks that the Ukrainian government alerted.
The emails sent to European government officials alluded to a recent NATO Security Council emergency meeting. The communication included an attachment (a macro-enabled XLS file) designed to spread SunSeed malware. This malware is a downloader that the attacker is most likely using to deliver further malicious payloads to the infected machines. The campaign, dubbed Asylum Ambuscade by Proofpoint, might be intended to gather information on refugee flows out of Ukraine, as well as details on the funding, supplies, and logistics used by Europe to deal with the problem.
“The targeted individuals possessed a range of expertise and professional responsibilities,” Proofpoint clarified in a blog post. “However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe. This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries.”
Ukraine’s IT Army, which was formed right after Russia started its invasion, has some 260,000 members at present. An individual who appears online as CyberKnow has prepared a list of the numerous hacking organizations that support both Russia and Ukraine. There are now over 30 organizations on the list.
According to WordPress security company Defiant, one of the organizations targeting Ukraine appears to be headquartered in Brazil and has attacked the websites of tens of Ukrainian colleges since the war began. Profit-driven cybercriminals are attempting to profit from the strife, which is unsurprising. Cofense, a provider of anti-phishing technologies, has noticed many spam operations aimed at stealing data and defrauding consumers.
