Google's TAG provides update on cybersecurity activity in Eastern Europe

Google's Threat Analysis Group (TAG) has observed a continuously growing number of threat actors using the Russia-Ukraine conflict as a lure in phishing and malware campaigns and targeting critical infrastructure entities including oil and gas, telecommunications and manufacturing.

"Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Financially motivated and criminal actors are also using current events as a means for targeting users," TAG wrote in a blog post.

Below is the campaign activity observed by Google's TAG:

APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was seen targeting users in Ukraine with a new variant of malware which was distributed via email attachments inside of password-protected zip files (ua_report.zip). The malware is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a compromised email account.

Another Russian group called Turla was observed targeting defense and cybersecurity organizations in the Baltics. These campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker-controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker-controlled domain.

Similarly, Russian threat actor COLDRIVER, aka Callisto, was observed using Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts.

Belarusian threat actor Ghostwriter has also resumed targeting of Gmail accounts via credential phishing. TAG said that no accounts were compromised from this campaign that targeted high-risk individuals in Ukraine. It contained links leading to compromised websites where the first stage phishing page was hosted. Clicking continue would redirect users to an attacker-controlled site that collected the users' credentials.

China-based Curious Gorge has also remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central. Over the past week, additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company were identified, TAG said.

TAG also highlighted the actions the team has taken to protect users over the past few weeks.

• All identified websites and domains were added to Safe Browsing to protect users from further exploitation.
• All targeted Gmail and Workspace users have been notified of the activity.

More information can be found here.