Written by AJ Vicens
Hackers suspected of being associated with the governments of Russia, Belarus and China are targeting Ukraine, Poland and European governments, researchers say, ranging from espionage attempts to phishing campaigns and coinciding with the intensification of the Russian assault on Ukraine.
Shane Huntley, director of Google’s Threat Analysis Group (TAG), said in a blog post on Monday that the group observed well-known Russian military hacking group Fancy Bear (also known as APT28) carrying out several major credential phishing campaigns targeting UkrNet, a Ukrainian media company. Two recent campaigns, he said, involved newly created Blogspot domains as initial landing pages, which then redirected targets to credential phishing pages.
TAG has also observed a hacking operation known as Ghostwriter, or UNC1151, conducting ID phishing campaigns over the past week against Polish and Ukrainian governments and military organizations.
Ghostwriter refers to an activity believed to be operating out of Belarus, researchers at cybersecurity firm Mandiant reported in November.
Separately, Ukraine Computer Emergency Response Team released the details Monday about ongoing UNC1151 targeting of Ukrainian news sources with MicroBackdoor malware. This malware creates a backdoor but also takes screenshots on the target machines.
Google further said on Monday that TAG had identified malicious attachments targeting European entities with decoys related to the Ukrainian invasion, and attributed the activity to a China-based hacking group known as Mustang Panda or Temp.Hex. “The targeting of European organizations represented a shift from the targets regularly seen in Southeast Asia by Mustang Panda,” Huntley wrote.
Researchers from cybersecurity firm Proofpoint have been released their own detailed analysis of this Chinese activity on Monday, saying the group targeted European diplomatic entities, including a person involved in refugee and migrant services. While Google said the Mustang Panda hack in Europe was a game changer, Proofpoint’s analysis differed, suggesting a “multi-year campaign against diplomatic entities in Europe”, which “suggests a consistent area of responsibility”.
-In this story-
APT28, Belarus, China, Fancy Bear, Ghostwriter, Google, Mustang Panda, Proofpoint, Russia, TA416, Temp.Hex, Ukraine, UNC1151