Charities and NGOs providing support in Ukraine hit by malware

Malware based attacks are targeting charities and non-governmental organizations (NGOs) providing support in Ukraine

Charities and non-governmental organizations (NGOs) that in these weeks are providing support in Ukraine are targeted by malware attacks aiming to disrupt their operations.

The news was reported by Amazon that associates the attacks with state-sponsored hackers and confirmed that it is helping customers impacted by the attacks to adopt security best practices.

“For several weeks, we have been partnering closely with Ukrainian IT organizations to fend off attacks and working with organizations in Ukraine, and around the world, to share real-time, relevant intelligence. As a result, our teams have seen new malware signatures and activity from a number of state actors we monitor. As this activity has ramped up, our teams and technologies detected the threats, learned the patterns, and placed remediation tools directly into the hands of customers.” reads the post published by Amazon. “While we are seeing an increase in activity of malicious state actors, we are also seeing a higher operational tempo by other malicious actors. We have seen several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption.”

Some of the most impacted operations are related to medical supplies, food, and clothing relief.

Amazon did not name the impacted organizations, it is working with multiple organizations and donated $5 million to organizations that are providing critical support on the ground, including UNICEF, UNHCR, World Food Program, Red Cross, Polska Akcja Humanitarna, and Save the Children.

A few days ago, researchers from cybersecurity firm Proofpoint uncovered a spear-phishing campaign, likely conducted by a nation-state actor, that compromised a Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.

The phishing messages included a weaponized attachment designed to download a Lua-based malware dubbed SunSeed. Experts found similarities between the infection chain associated with this campaign, tracked as Asylum Ambuscade, and other attacks Proofpoint observed in July 2021, a circumstance that suggests they were conducted by the same threat actor.

The campaign observed in July 2021 was linked to the Belarus-linked APT group Ghostwriter (aka TA445 or UNC1151).

Update: Made it clearer that Amazon did not name any of the targeted organizations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]