Hackers and hacking groups have been busy finding new ways to use the war in Ukraine as a lure in their phishing and malware campaigns. Organizations and possibly individuals based in Russia, China, North Korea, and Iran are just some of the government-backed — and, occasionally, independent — bad actors who have used various war-related themes to get people to click on malicious links. While many of these attacks aren’t always sophisticated, they can be hard to detect and block, so tech giants like Google have to have their own cybersecurity army at work 24/7.
Google’s Threat Analysis Group (TAG) just published a new report on threats from bad actors in Eastern Europe, indicating a rise in attacks. The report also illustrates how financially motivated hackers use current events to target victims with the example of a ruse in which attackers impersonate someone from the military to extort money that will supposedly go to rescue relatives in Ukraine. But more than that, TAG has also seen evidence that multiple ransomware brokers are still in operation — all taking advantage of attention on global events to continue criminal activity.
TAG spotlights three groups it has been watching closely and gives a thumbnail sketch of each group’s activity. First, there’s “Curious Gorge,” a group connected to China’s People’s Liberation Army Strategic Support Force, or PLA SSF. Gorge, according to TAG, has taken action against organizations with military and government connections in Ukraine, Russia, Kazakhstan, and Mongolia. So far, this hasn’t affected Google products, TAG says, but they remain vigilant.
The second group mentioned is ColdRiver, AKA Calisto, which TAG indicates is based in Russia. The group has launched phishing campaigns against US companies, an Eastern European military organization, and a defense contractor based in Ukraine. Significantly, TAG reports Coldriver has recently changed tactics and begun going after military outfits all over the Eastern bloc in addition to NATO. The report lists the hackers’ phishing domains, including innocuous-sounding URLs like protect-link[.]online and drive-share[.]live.
Finally, TAG spotlights the Belarusian group Ghostwriter, which presents a unique threat because the hackers have already incorporated the relatively new and devious Browser in the Browser (BitB) attack. This lure essentially presents the unwary with what looks like a legitimate login popup window, down to the very URL (usually the part hackers struggle to fake). However, if you enter your information, it gets sent to the software operator’s command and control servers.
Even as Google security analysts are actively monitoring hacking related to Ukraine and Russia, they are aware other cyberattackers with different motivations will try to slip by and pull off new schemes. TAG says that it remains vigilant in general and will continue to take action to try and prevent future attacks through alerts sharing key information — so the focus on Eastern Europe doesn’t mean hackers can get away with attacks elsewhere.
Read Next
About The Author
