Ukrainian cyber officials warn of new wave of phishing attacks

U.S. companies are also advising Ukrainians to lock down their accounts.
Kyiv, Ukraine bomb shelter
People hide in a bomb shelter in Kyiv in the early hours of February 25, 2022. (Photo by SERGEI CHUZAVKOV/AFP via Getty Images)

Ukrainian officials warned Friday that Belarusian hackers are sending a wave of phishing emails targeting Ukrainian soldiers and civilians.

“Mass phishing emails have recently been observed targeting private ‘’ and ‘’ accounts of Ukrainian military personnel and related individuals,” Ukraine’s Computer Emergency Response Team wrote in a Facebook post Friday. Both URLs belong to Ukraine-based email services.

Once an account is compromised, hackers gain access to the target’s messages and their contact details, allowing them to send additional phishing emails to their contacts, the CERT said.

Ukraine’s State Service of Special Communications and Information Protection issued a separate warning Friday about a phishing attack against civilian emails containing potentially malicious attached files.


The campaigns follow a wave of phishing and distributed-denial-of-service attacks against Ukrainian public agencies by hackers since Russia decided to invade Ukraine.

Officials are pinning the phishing campaign on a Minsk-based group of hackers referred to as “UNC1151,” which is believed by several security firms to be tied to the Belarusian government. The Ukrainian government last month tied the group to a series of defacements of Ukrainian government websites.

The phishing attacks appear to be consistent with previous UNC1151 activity, said Ben Read, director of cyber espionage analysis at Mandiant. Mandiant has not seen the phishing emails but the firm was able to tie the infrastructure reported by CERT.UA to UNC1151. The information gained from the accounts could be weaponized during occupation or potentially used in an information operation using leaked or faked information from the accounts to promote pro-Russia and pro-Belarus narratives, Read said. Mandiant previously linked the UNC1151 to a complex, years-long influence operation targeting Latvia, Lithuania, and Poland.

One of the phishing emails reads: “Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding.” The emails are coming from the URLS “i[.]ua-passport[.]space” and “id[.]bigmir[.]space,” UA-CERT warned.


U.S.-based companies have urged Ukrainians to lock down their accounts. Twitter Safety provided tips to Ukraine users on how to secure accounts including using two-factor authentication. In addition to establishing a special operations center to monitor the conflict, Facebook on Wednesday launched a one-click tool allowing Ukrainians to lock down their accounts, head of security Nathaniel Gleicher announced on Twitter. The company deployed the same tool for Afghanistan users during the withdrawal of U.S. troops.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts