Google TAG details cyber activity with regard to the invasion of Ukraine

The Google TAG uses uncovered phishing attacks targeting Eastern European and NATO countries, including Ukraine.

The Google Threat Analysis Group (TAG) provided an update about nation-state attacks related ongoing Russian invasion of Ukraine, the experts spotted phishing and malware attacks targeting Eastern European and NATO countries, including Ukraine

The researchers uncovered a phishing campaign conducted by a Russia-linked threat actor tracked as COLDRIVER (aka Calisto) against a NATO Centre of Excellence and Eastern European militaries. The attacks of the group also aimed at a Ukrainian defense contractor and several US-based non-governmental organizations (NGOs) and think tanks.

Google experts pointed out that this is the first time that the cyberspies target NATO and military of multiple Eastern European countries.

“However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence.” reads the report published by the TAG team. “These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.”

Attackers created Gmail accounts specifically for this campaign and used them to send phishing messages to non-Google accounts. Google states that it is impossible to determine the success rate of these campaigns because the messages reached non-Google accounts. The IT giant states that it is not aware of any Gmail accounts successfully compromised during these attacks.

TAG also reported the activity of a China-linked APT group, tracked as Curious Gorge aimed at government and military organizations from Ukraine, Russia, Kazakhstan, and Mongolia.

“Curious Gorge, a group TAG attributes to China’s PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations.” continues the report.

The researchers also observed Belarus-linked APT Ghostwriter employing a new phishing technique known as Browser in the Browser (BitB) phishing, publicly disclosed in mid-March.

“Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site.” continues the report. “Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.”

Google experts confirmed that financially motivated and criminal actors are also attempting to exploit the interest in current events in their campaigns. In one case observed by the TAG team. a threat actor impersonated military personnel to extort money for rescuing relatives in Ukraine.

“TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.” concludes Google.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]