Cyberattacks have been launched on organizations and individuals helping refugees trying to get out of Ukraine. Some may have been carried out by a Belarus-linked hacking group and the attackers have access to an email account of at least one Ukrainian military officer, according to American cybersecurity researchers.
Earlier this week, phishing attacks were launched on targets across Ukraine, pretending to come from the country’s security services, the SBU, offering information on evacuation plans. The Ukraine government put a warning out that it was a fake and that the linked documents in the emails were actually malware. Forbes obtained a screenshot of one of the phishing emails, which was sent to a Gmail account and came with a Google warning that “similar messages were used to steal people’s personal information.” The messages asked for evacuation plans, according to the SBU, and contained an attachment letter, later deemed to contain malware. Researchers from the Slovakia-based internet security company ESET later told Forbes it was malware based on Microsoft’s Remote Utilities software for Windows, allowing outside access to computers. “The sample is fresh, but malware itself is not so sophisticated,” an ESET spokesperson said.
On Wednesday, researchers at U.S.-based cybersecurity company Proofpoint confirmed different “evacuation-themed” phishing attacks targeted an unnamed European government entity. Proofpoint security researchers looked at emails sent by address ending in @ukr[.]net, a “possibly compromised Ukrainian armed service member’s email account.” The emails, which targeted “European government personnel involved in managing the logistics of refugees fleeing Ukraine,” came with the subject, “the email utilized the subject “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.” A spreadsheet within the email contained malware known as SunSeed. The function of SunSeed was to act as a path into an infected PC, allowing for installation of more malware, Proofpoint said.
“There was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe,” Proofpoint researchers wrote in the blog published on Wednesday. “This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies and people within NATO member countries.
“The possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarusian state techniques.”
Catherine Woolard, director at the European Council on Refugees and Exiles, an alliance of 105 NGOs across 39 European countries, told Forbes there had been more phishing messages than usual on the community, though she had not heard of any successful attacks. “We are hearing that from across the sector and from related entities, political foundations, for example,” she added.
“We are used to being a low-level target for various actors, and quite a few of our members have quite extensive security in place—usually in response to surveillance from their own governments, though.”
A Belarus link?
The researchers “tentatively” attributed the attacks to a group widely known as UNC1151, linked by other cybersecurity researchers to the Belarus government. They said that while there were no obvious technical links, the behavior and timing of the attacks pointed to UNC1151, also known as Ghostwriter.
Proofpoint’s analysis came after the Ukrainian government Computer Emergency Response Team said last week that “mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals.” The aim was to take over email accounts and use contact details from the victim’s address book to send more phishing emails. The CERT blamed UNC1151, claiming its members were “officers of the Ministry of Defense of the Republic of Belarus.” Cybersecurity company Mandiant later attributed the attacks to the Belarus-linked group.
Google said yesterday it had seen the hackers “targeting Ukrainian government and military officials. We blocked these attempts and have not seen any compromise of Google accounts as a result of this campaign.” That followed Facebook saying much the same about targeting of its users in Ukraine, though it “detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender.”
The Belarusian Embassy in London had not responded to a request for comment at the time of publication.
Meanwhile, ESET released a report on Tuesday, indicating that cyberattacks designed to wipe Ukrainian government and business computers were launched a matter of hours before the ground invasion was initiated. As the malware had been created at least as far back as October 2021, it seemed “the attacks had been planned for several months,” the company added. At the same time, Ukrainian targets were hit with a “decoy” ransomware to distract from the destruction of computer memory. A second “wiper” malware was also launched as the ground operation got under way, ESET noted, pointing to a concerted effort to disrupt IT infrastructure.