Threat actors using Ukraine war as lure in phishing campaigns: Google
According to TAG, financially motivated and criminal actors are using Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. For instance, one such threat actor is impersonating military personnel to extort money for rescuing relatives in Ukraine.
Google's Threat Analysis Group (TAG) said on Wednesday that a growing number of government-backed threat actors from China, Iran, North Korea and Russia as well as various unattributed groups are using the Ukraine war as a lure in phishing and malware campaigns.
According to TAG, financially motivated and criminal actors are using Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. For instance, one such threat actor is impersonating military personnel to extort money for rescuing relatives in Ukraine.
"The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region," Billy Leonard, Threat Analysis Group, wrote in a blog post.
Leonard shared the following findings in the blog post:
- Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.
- COLDRIVER, a Russian-based threat actor, aka Calisto, has launched credential phishing campaigns, targeting several US-based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. For the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence.
- Ghostwriter, a Belarusian threat actor, has quickly adopted a 'Browser in the Browser' phishing technique and combined it with a previously observed technique, hosting credential phishing landing pages on compromised sites. Once a user provides credentials, they are posted to an attacker-controlled domain.
To get a deeper look at the campaign activity, read the official blog post.
Google News