One indication of the large scope of cyberattacks in Ukraine is a phishing marketing campaign centered on breaking into e-mail accounts of the nation’s army personnel and doubtlessly utilizing them to unfold disinformation.
The marketing campaign is being carried out by UNC1151, a menace group that was initially regarded as Russia-based however which Mandiant final November linked to the federal government of Belarus and its army intelligence group.
Ukraine’s Pc Emergency Response Workforce (CERT-UA) Friday reported that the hacking group was sending mass phishing emails to the accounts of members of the nation’s army and people related to them. When the group has been in a position to compromise an account, it has accessed the sufferer’s e-mail messages and used contact particulars from their handle books to ship extra phishing emails. CERT-UA’s alert described UNC1151 as a Minsk-based group whose members are officers of Belarus’ ministry of protection.
In an announcement, Mandiant director Ben Learn mentioned the corporate’s researchers are monitoring stories of UNC1151 conducting widespread phishing of Ukrainian people. The safety vendor mentioned that it had not seen the phishing emails getting used within the marketing campaign however was in a position to the tie the infrastructure that CERT-UA reported to UNC1151. The exercise is in keeping with the menace actor’s in depth focusing on of the Ukrainian army over the previous two years, Mandiant mentioned.
“These actions by UNC1151, which we consider is linked to the Belarussian army, are regarding as a result of private information of Ukrainian residents and army may be exploited in an occupation state of affairs” to unfold disinformation, Learn mentioned. “Leaking deceptive or fabricated paperwork taken from Ukrainian entities could possibly be leveraged to advertise Russia and Belarus pleasant narratives,” Learn warned.
Mandiant’s issues about UNC1151’s newest phishing marketing campaign in Ukraine are tied to the group’s reference to GhostWriter, a big disinformation marketing campaign that’s been happening for greater than 4 years. The GhostWriter marketing campaign’s main focus has been to unfold false narratives about US and NATO pursuits in Jap Europe. Examples embrace pretend information articles about NATO nuclear weapons deployment within the area, alleged struggle crimes by NATO troops, and tales about NATO troops spreading COVID-19 in Jap Europe.
Weeks earlier than Mandiant’s report linking UNC1151 to Belarus, the Council of the European Union and the German authorities formally recognized Russia because the operator of the Ghostwriter marketing campaign. That evaluation adopted a collection of cyberattacks that the German authorities decided have been designed to affect the result of its parliamentary elections final September.
Mandiant itself has famous that whereas it has been in a position to hyperlink UNC1151 and GhostWriter to Belarus, the corporate couldn’t rule out involvement by different international locations, notably Russia. Mandiant has pointed to the shut relationship between the Russian and Belarussian governments and the previous’s sturdy cyber espionage and data operations capabilities as an evidence for its evaluation.
Like Mandiant, safety vendor RiskIQ additionally reported that it’s monitoring UNC1151 exercise. In an advisory, RiskIQ mentioned it had analyzed the phishing domains that CERT-UA recognized UNC1151 as utilizing in the latest phishing marketing campaign. That evaluation led to the invention of greater than three dozen comparable extra phishing domains that the menace actor is at present utilizing or could have used up to now, RiskIQ mentioned.
“RiskIQ was in a position to determine extra domains and infrastructure related to the marketing campaign primarily based off the data the CERT-UA offered of their unique put up,” says Steve Ginty, director, menace intelligence at RiskIQ. “However we do not need perception into the phishing emails being despatched right now.” Traditionally the UNC1151 group has registered typo-squatting domains spoofing mail suppliers and generic login pages with a view to harvest victims’ login credentials, he provides.