Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say
Government-backed hackers from Russia, China and Belarus have been behind a series of a series of hacking campaigns in recent weeks targeting government, industry, journalists, politicians and others, according to the latest update from Google’s Threat Analysis Group.
The Google researchers noted in an updated blog post Tuesday that in just the “past few weeks” they’ve seen at least three distinct Russian hacking groups targeting Ukraine and beyond, a Belarusian group going after “high risk individuals in Ukraine” and a Chinese hacking group running hacking campaigns against organizations in Ukraine, Russia and central Asia.
The hacking campaigns are just the latest examples of both government and non-government hacking efforts either seeking intelligence related to Russia’s invasion of Ukraine or using the invasion as a lure in phishing campaigns.
Ukrainian government officials and others continually publicize Russian hacking efforts targeting Ukraine alongside its ongoing kinetic military attacks. On April 27 Microsoft released a report detailing nearly 40 “destructive attacks” as part of Russian operations against Ukraine, which have included intelligence gathering efforts as well as operations aimed at destroying infrastructure, including portions of the Ukrainian electrical grid.
Tuesday’s update from Google offered a bit more detail on three recent and distinct Russian campaigns. The Russian military intelligence-affiliated Fancy Bear — also known as APT28 — has been targeting Ukrainians with a new variant of malware, distributed via email attachments inside of password-protected zip files, designed to steal cookies and saved passwords from Chrome, Edge and Firefox browers.
Turla, a separate and well-established Russian government group that Google ties to Russia’s Federal Security Service, has been targeting defense and cybersecurity organizations in the Baltics, the researchers said. Each target received a unique link that led to a malicious .docx file that would attempt to download a unique image file, but it’s not clear what the aim was.
And a third Russian hacking group Google refers to as Cold River — known elsewhere as Callisto — continues to use Gmail accounts to send credential phishing emails to Google and non-Google accounts, the researchers wrote Tuesday. Targets include government and defense officials, politicians, non-governmental organizations and journalists.
On March 30 Google researchers pointed to Cold River activity that, for the first time, was observed targeting the militaries of multiple Eastern European countries and a NATO Centre of Excellence. Tuesday’s update notes that the campaign’s tactics, techniques and procedures have shifted slightly from phishing links directly in the emails to also linking to Google Drive and Microsoft One Drive hosted PDFs or documents.
Ghostwriter, a Belarusian government hacking effort, continues to target “high risk individuals” in Ukraine in a credential-theft campaign using compromised websites, the researchers said, although no accounts were compromised in the latest effort.
And Curious George, a Chinese-government hacking group Google ties to People’s Liberation Army Strategic Support Force, continues targeting government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. The group’s “long running campaigns” against Russian targets continue, including against the Russian Ministry of Foreign Affairs. In just the last week, Google researchers identified unspecified “additional compromises” impacting multiple Russian defense contractors, manufacturers and an unnamed Russian logistics company.