March 29, 2024

A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted.

“Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” Google Threat Analysis Group’s (TAG) Billy Leonard said in a report.

“Financially motivated and criminal actors are also using current events as a means for targeting users,” Leonard added.

One notable threat actor is Curious Gorge, which TAG has attributed to China People’s Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia.

Attacks aimed at Russia have singled out several governmental entities, such as the Ministry of Foreign Affairs, with additional compromises impacting Russian defense contractors and manufacturers as well as an unnamed logistics company.

The findings follow disclosures that a China-linked government-sponsored threat actor known as Mustang Panda (aka Bronze President) may have been targeting Russian government officials with an updated version of a remote access trojan called PlugX.

Another set of phishing attacks involved APT28 (aka Fancy Bear) hackers targeting Ukrainian users with a .NET malware that’s capable of stealing cookies and passwords from Chrome, Edge and Firefox browsers.

Also implicated were Russia-based threat groups, including Turla (aka Venomous Bear) and COLDRIVER (aka Calisto), as well as a Belarusian hacking crew named Ghostwriter in different credential phishing campaigns targeting defense and cybersecurity organizations in the Baltic region and high-risk individuals in Ukraine.

Ghostwriter’s latest attacks directed victims to compromised websites, from where the users were sent to an attacker-controlled web page to harvest their credentials.

In an unrelated phishing campaign targeting entities in Eastern European countries, a previously unknown and financially motivated hacking group has been spotted impersonating a Russian agency to deploy a JavaScript backdoor called DarkWatchman onto infected computers.

IBM Security X-Force connected the intrusions to a threat cluster it’s tracking under the moniker Hive0117.

“The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors,” the company said.

The findings come as Microsoft divulged that six different Russia-aligned actors launched at least 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.

The geopolitical tensions and the ensuing military invasion of Ukraine have also fueled an escalation in data wiper attacks intended to cripple mission critical processes and destroy forensic evidence.

What’s more, the Computer Emergency Response Team of Ukraine (CERT-UA) revealed details of ongoing distributed denial-of-service (DDoS) attacks directed against government and news portals by injecting malicious JavaScript (dubbed “BrownFlood”) into the compromised sites.

DDoS attacks have been reported beyond Ukraine as well. Last week, Romania’s National Directorate of Cyber ​​Security (DNSC) disclosed that several websites belonging to public and private institutions were “targeted by attackers who aimed to make these online services unavailable.”

The attacks, claimed by a pro-Russian collective called Killnet, come in response to Romania’s decision to support Ukraine in the military conflict with Russia.