Google’s Threat Analysis Group said on Wednesday that it has seen evidence indicating a range of state-backed threat actors are using the recent invasion of Ukraine to steal credentials through malicious emails and links.
In a blog post, Google’s Billy Leonard said a “growing number” of financially-motivated groups as well as government-backed actors from China, Iran, North Korea and Russia are using the war as a pretext for several different kinds of attacks.
“For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense,” Leonard wrote.
Google explicitly named three groups with ties to governments. Curious Gorge, a group they attributed to China’s People’s Liberation Army Strategic Support Force, was accused of targeting government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia.
A Russian-based threat actor, COLDRIVER, was accused of targeting several US-based NGOs, think tanks, the military of a Balkans country and a Ukrainian defense contractor with credential phishing campaigns.
“However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence,” Leonard explained, adding that the group is sometimes known as Calisto.
A phishing example on compromised sites. Image: Google TAG
“These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.”
Google also said Ghostwriter, a previously-identified group allegedly from Belarus, has added the ‘Browser in the Browser’ phishing technique to its arsenal of tools.
The technique – which spoofs a legitimate domain by simulating a browser window within the browser – has drawn media attention over the last two weeks after a security researcher who goes by the handle mrd0x on Twitter released a detailed blog about the tactic.
“While TAG has previously observed this technique being used by multiple government-backed actors, the media picked up on this blog post, publishing several stories highlighting this phishing capability,” Leonard said.
“Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.”
The blog post from Google includes recently observed IPs and credential phishing domains seen in the attacks by these groups.
Google’s Threat Analysis Group has released several blog posts about the threats they’re seeing in relation to the conflict in Ukraine, previously highlighting the work of groups like FancyBear/APT28, Ghostwriter and Mustang Panda.