Against backdrop of Russian-Ukraine war, researchers witness flurry of nation-aligned hacking

Polish, Ukrainian and European targets are facing a barrage of cyber operations, researchers say.
People stand with their luggage as they wait to be relocated from the temporary shelter for refugees in a former shopping center between the Ukrainian border and the Polish city of Przemysl, in Poland, on March 8, 2022. (Photo by LOUISA GOULIAMAKI/AFP via Getty Images)

Hackers believed to be associated with the governments of Russia, Belarus and China are targeting Ukraine, Poland and European governments, researchers say, ranging from espionage attempts to phishing campaigns and coinciding with the intensification of the Russian assault on Ukraine.

Shane Huntley, the director of Google’s Threat Analysis Group (TAG), said in a blog post Monday that the group has observed well-known Russian military hacking group Fancy Bear (also known as APT28) conducting several large credential phishing campaigns targeting UkrNet, a Ukrainian media company. Two recent campaigns, he said, involved newly created Blogspot domains as initial landing pages, which then redirected targets to credential phishing pages.

TAG also observed a hacking operation known as Ghostwriter, or UNC1151, running credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations.

Ghostwriter refers to activity believed to be operating out of Belarus, researchers with cybersecurity firm Mandiant reported in November.


Separately, Ukraine’s Computer Emergency Response Team published details Monday about ongoing UNC1151 targeting of Ukrainian information sources with MicroBackdoor malware. That malware creates a backdoor, but also takes screenshots on target machines.

Google further said Monday that TAG identified malicious file attachments targeting European entities with lures related to the Ukrainian invasion, and attributed the activity to a China-based hacking group known variously as Mustang Panda or Temp.Hex. “Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets,” Huntley wrote.

Researchers with cybersecurity firm Proofpoint released their own detailed analysis of that Chinese activity on Monday, saying the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. While Google said the Mustang Panda hacking in Europe was a shift, Proofpoint’s analysis differed, suggesting a “multiyear campaign against diplomatic entities in Europe,” which “suggests a consistent area of responsibility.”

National Security Agency and Cyber Command chief Gen. Paul Nakasone, appearing Tuesday at a House Intelligence Committee hearing, said that overall he was surprised by the dearth of cyberattacks against Ukraine coming out of Moscow.

“In terms of Russia, they have conducted several attacks in the Ukraine, three or four primarily, which we’ve watched and and we’ve tracked very carefully,” he told the panel. “In terms of why they haven’t done more, I think that that’s obviously some of the work that the Ukrainians have done, some of the challenges that the Russians have encountered and some of the work that others have been able to prevent their actions.”


Suzanne Smalley contributed to this story.

Updated, 3/8/22: with comments from Nakasone.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts