Ukrainian officials warned Friday that Belarusian hackers are sending a wave of phishing emails targeting Ukrainian soldiers and civilians.
“Mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals,” Ukraine’s Computer Emergency Response Team wrote in a Facebook post Friday. Both URLs belong to Ukraine-based email services.
Once an account is compromised, hackers gain access to the target’s messages and their contact details, allowing them to send additional phishing emails to their contacts, the CERT said.
Ukraine’s State Service of Special Communications and Information Protection issued a separate warning Friday about a phishing attack against civilian emails containing potentially malicious attached files.
The campaigns follow a wave of phishing and distributed-denial-of-service attacks against Ukrainian public agencies by hackers since Russia decided to invade Ukraine.
Officials are pinning the phishing campaign on a Minsk-based group of hackers referred to as “UNC1151,” which is believed by several security firms to be tied to the Belarusian government. The Ukrainian government last month tied the group to a series of defacements of Ukrainian government websites.
The phishing attacks appear to be consistent with previous UNC1151 activity, said Ben Read, director of cyber espionage analysis at Mandiant. Mandiant has not seen the phishing emails but the firm was able to tie the infrastructure reported by CERT.UA to UNC1151. The information gained from the accounts could be weaponized during occupation or potentially used in an information operation using leaked or faked information from the accounts to promote pro-Russia and pro-Belarus narratives, Read said. Mandiant previously linked the UNC1151 to a complex, years-long influence operation targeting Latvia, Lithuania, and Poland.
One of the phishing emails reads: “Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding.” The emails are coming from the URLS “i[.]ua-passport[.]space” and “id[.]bigmir[.]space,” UA-CERT warned.
U.S.-based companies have urged Ukrainians to lock down their accounts. Twitter Safety provided tips to Ukraine users on how to secure accounts including using two-factor authentication. In addition to establishing a special operations center to monitor the conflict, Facebook on Wednesday launched a one-click tool allowing Ukrainians to lock down their accounts, head of security Nathaniel Gleicher announced on Twitter. The company deployed the same tool for Afghanistan users during the withdrawal of U.S. troops.