Elite hackers related with Russia’s navy intelligence support have been linked to big-quantity phishing campaigns aimed at hundreds of customers in Ukraine to extract intelligence and impact general public discourse relevant to the war.
Google’s Risk Assessment Team (TAG), which is monitoring the actions of the actor underneath the name FROZENLAKE, stated the attacks carry on the “group’s 2022 concentration on concentrating on webmail users in Japanese Europe.”
The point out-sponsored cyber actor, also tracked as APT28, Extravagant Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both of those very energetic and proficient. It has been active because at minimum 2009, focusing on media, governments, and military entities for espionage.
The most up-to-date intrusion established, setting up in early February 2023, included the use of mirrored cross-website scripting (XSS) attacks in several Ukrainian govt sites to redirect users to phishing domains and seize their credentials.
The disclosure comes as U.K. and U.S. intelligence and law enforcement organizations unveiled a joint advisory warning of APT28’s attacks exploiting an outdated, known vulnerability in Cisco routers to deploy malware recognized as Jaguar Tooth.
FROZENLAKE is far from the only actor targeted on Ukraine since Russia’s navy invasion of the place above a yr in the past. An additional noteworthy adversarial collective is FROZENBARENTS – aka Sandworm, Seashell Blizzard (née Iridium), or Voodoo Bear – which has engaged in a sustained effort and hard work to concentrate on organizations affiliated to the Caspian Pipeline Consortium (CPC) and other vitality sector entities in Japanese Europe.
Both of those groups have been attributed to the Standard Workers Principal Intelligence Directorate (GRU), with APT28 tied to the 85th Distinctive Assistance Heart (GTsSS) military services intelligence device 26165. Sandworm, on the other hand, is thought to be part of GRU’s Unit 74455.
The credential harvesting marketing campaign qualified CPC workforce with phishing hyperlinks delivered by using SMS. The attacks in opposition to the power vertical dispersed back links to pretend Windows update offers that ultimately executed an info stealer identified as Rhadamanthys to exfiltrate passwords and browser cookies.
FROZENBARENTS, dubbed the “most flexible GRU cyber actor,” has also been noticed launching credential phishing attacks targeting the Ukrainian defense business, military, and Ukr.net webmail customers commencing in early December 2022.
Upcoming WEBINARDefend with Deception: Advancing Zero Trust Security
Find out how Deception can detect state-of-the-art threats, halt lateral movement, and enhance your Zero Have faith in tactic. Be part of our insightful webinar!
Preserve My Seat!
The danger actor is mentioned to have more established on the net personas across YouTube, Telegram, and Instagram to disseminate pro-Russian narratives, leak info stolen from compromised corporations, and article targets for distributed denial-of-support (DDoS) assaults.
“FROZENBARENTS has focused customers involved with common channels on Telegram,” TAG researcher Billy Leonard stated. “Phishing campaigns shipped by way of email and SMS spoofed Telegram to steal qualifications, from time to time concentrating on end users subsequent pro-Russia channels.”
A third danger actor of desire is PUSHCHA (aka Ghostwriter or UNC1151), a Belarusian government-backed team which is known to act on behalf of Russian interests, its targeted phishing assaults singling out Ukrainian webmail providers these kinds of as i.ua and meta.ua to siphon credentials.
Google TAG also highlighted a established of attacks mounted by the group at the rear of Cuba ransomware to deploy RomCom RAT in the Ukrainian federal government and army networks.
“This signifies a massive shift from this actor’s traditional ransomware operations, behaving far more similarly to an actor conducting functions for intelligence selection,” Leonard pointed out.
Found this post intriguing? Observe us on Twitter and LinkedIn to browse extra distinctive information we article.
Some parts of this article are sourced from:
thehackernews.com