Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

A growing number of threat actors^[1] are using the ongoing
Russo-Ukrainian war as a lure in various phishing and malware
campaigns, even as critical infrastructure entities continue to be
heavily targeted.

“Government-backed actors from China, Iran, North Korea and
Russia, as well as various unattributed groups, have used various
Ukraine war-related themes in an effort to get targets to open
malicious emails or click malicious links,” Google Threat Analysis
Group’s (TAG) Billy Leonard said^[2]
in a report.

“Financially motivated and criminal actors are also using
current events as a means for targeting users,” Leonard added.

One notable threat actor is Curious Gorge, which TAG has
attributed to China People’s Liberation Army Strategic Support
Force (PLA SSF) and has been observed striking government,
military, logistics and manufacturing organizations in Ukraine,
Russia and Central Asia.

Attacks aimed at Russia have singled out several governmental
entities, such as the Ministry of Foreign Affairs, with additional
compromises impacting Russian defense contractors and manufacturers
as well as an unnamed logistics company.

The findings follow disclosures that a China-linked
government-sponsored threat actor known as Mustang Panda (aka
Bronze President) may have been targeting Russian government
officials^[3] with an updated version
of a remote access trojan called PlugX.

Another set of phishing attacks involved APT28 (aka Fancy Bear)
hackers targeting Ukrainian users with a .NET malware that’s
capable of stealing cookies and passwords from Chrome, Edge and
Firefox browsers.

Also implicated were Russia-based threat groups, including Turla
(aka Venomous Bear) and COLDRIVER^[4]
(aka Calisto), as well as a Belarusian hacking crew named
Ghostwriter in different credential phishing campaigns targeting
defense and cybersecurity organizations in the Baltic region and
high-risk individuals in Ukraine.

Ghostwriter’s latest attacks directed victims to compromised
websites, from where the users were sent to an attacker-controlled
web page to harvest their credentials.

In an unrelated phishing campaign targeting entities in Eastern
European countries, a previously unknown and financially motivated
hacking group has been spotted impersonating a Russian agency to
deploy a JavaScript backdoor called DarkWatchman^[5]
onto infected computers.

IBM Security X-Force connected the intrusions to a threat
cluster it’s tracking under the moniker Hive0117.

“The campaign masquerades as official communications from the
Russian Government’s Federal Bailiffs Service, the Russian-language
emails are addressed to users in Lithuania, Estonia, and Russia in
the Telecommunications, Electronic and Industrial sectors,” the
company said^[6].

The findings come as Microsoft divulged^[7]
that six different Russia-aligned actors launched at least 237
cyberattacks against Ukraine from February 23 to April 8, including
38 discrete destructive attacks that irrevocably destroyed files in
hundreds of systems across dozens of organizations in the
country.

The geopolitical tensions and the ensuing military invasion of
Ukraine have also fueled an escalation in data wiper attacks^[8] intended to cripple
mission critical processes^[9] and destroy forensic
evidence.

What’s more, the Computer Emergency Response Team of Ukraine
(CERT-UA) revealed^[10] details of ongoing
distributed denial-of-service (DDoS) attacks directed against
government and news portals by injecting malicious JavaScript
(dubbed “BrownFlood”) into the compromised sites.

DDoS attacks have been reported beyond Ukraine as well. Last
week, Romania’s National Directorate of Cyber ​​Security (DNSC)
disclosed^[11] that several websites
belonging to public and private institutions were “targeted by
attackers who aimed to make these online services unavailable.”

The attacks, claimed by a pro-Russian collective called Killnet,
come in response to Romania’s decision to support Ukraine in the
military conflict with Russia.