Google TAG warns of Russia-linked APT groups targeting Ukraine

The researchers from Google TAG are warning of Russia-linked threat actors targeting Ukraine with phishing campaigns.

Russia-linked threat actors launched large-volume phishing campaigns against hundreds of users in Ukraine to gather intelligence and aimed at spreading disinformation, states Google’s Threat Analysis Group (TAG).

In Q1 2023, threat actors linked to Russia’s military intelligence service focused their phishing campaigns on Ukraine, with the country accounting for over 60% of observed Russian targeting.

“FROZENBARENTS (aka Sandworm), a group attributed to Russian Armed Forces’ Main Directorate of the General Staff (GRU) Unit 74455, continues to focus heavily on the war in Ukraine with campaigns spanning intelligence collection, IO, and leaking hacked data through Telegram.” reads the report published by the Google TAG.

FROZENLAKE, aka Sandworm, has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017.

In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. 

On September 2022, the Sandworm group was observed impersonating telecommunication providers to target Ukrainian entities with malware.

In January, researchers from ESET discovered a new Golang-based wiper, dubbed SwiftSlicer, that was used in attacks aimed at Ukraine. 

According to the Fog of War report published by Google TAG, FROZENBARENTS shows sophisticated offensive capabilities, including credential phishing, mobile activity, malware, external exploitation of services, and beyond. The group targeted multiple sectors, including government, defense, energy, transportation/logistics, education, and humanitarian organizations.

The experts reported the case of the Caspian Pipeline Consortium (CPC) controls, which is one of the world’s largest oil pipelines that transports oil from Kazakhstan to the Black Sea. Since November 2022, the FROZENBARENTS group has conducted sustained cyber activity against organizations associated with the CPC and other energy sector organizations in Europe.

The group attempted to steal CPC employees’ credentials with a Smishing campaign aimed at distributing the Rhadamanthys information stealer.

In a recent wave of attacks that started in early February 2023, FROZENLAKE (aka APT28) exploited reflected cross-site scripting (XSS) on multiple Ukrainian government websites to redirect visitors to phishing pages in an attempt to trick them into providing their credentials.

ukr.net phishing page

The researchers also warned of FROZENBARENTS’s activity in the IO space. The APT group used fake online personas to create and disseminate disinformation as well as leak stolen data. Threat actors promote pro-Russia narratives against Ukraine, NATO and the West.

“One persona, which TAG assesses is created and controlled by FROZENBARENTS actors, is ‘CyberArmyofRussia’ or ‘CyberArmyofRussia_Reborn’, which has a presence on Telegram, Instagram and YouTube.” continues the report. “Both the YouTube channel, terminated upon identification, and Instagram account received minimal engagement with a negligible number of subscribers or followers.”

The CyberArmyofRussia_Reborn Telegram channel was used by Russia-linked actors to leak stolen data and carry out DDoS attacks against selected targets. 

The experts also analyzed a Belarusian threat actor, tracked as PUSHCHA, that has consistently targeted users in Ukraine and neighboring countries since the beginning of the conflict. The attacks of the group focused on regional webmail providers such as i.ua, meta.ua and similar services. The group used spear-phishing campaigns against small numbers of users in Ukraine.

Google TAG also reported the malware-based attacks conducted by the group behind Cuba ransomware to distribute RomCom RAT in the networks of the Ukrainian government and military.

“This represents a large shift from this actor’s traditional ransomware operations, behaving more similarly to an actor conducting operations for intelligence collection. TAG also observed campaigns from this actor targeting attendees of the Munich Security Conference and the Masters of Digital conference.” concludes the report. “The attackers are using phishing URLs with spoofed domain names related to ChatGPT and OpenAI. The campaigns have been relatively small in volume, sent from spoofed domains, and targeting users’ Gmail accounts.”.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia-linked APT)