As the war in Ukraine ebbs and flows, with today's ceasefire arrangements and efforts to safely evacuate the civilian population, the conflict still rages on in cyberspace. According to reports by Google's Threat Analysis Group, two APTs supporting the Russian government are attacking Ukrainian targets and one Chinese outfit is using the current situation to strike at European targets.
Russian and Chinese APTs target Ukraine, Europe
The two pro-Russian entities Google highlights as spearheading the current cyberattacks on Ukrainian targets are Fancy Bear, also known as APT28, and Ghostwriter - an active persistent threat group that was linked with Belarus in late 2021.
Google is also reporting an uptick of activity of the APT called Mustang Panda, which is linked with Chinese actors. The Chinese outfit is currently targeting entities based in Europe, using phishing lures that are related to the ongoing conflict and refugee influx in a number of European countries.
The phishing attacks launched by pro-Russian APTs use previously compromised email addresses and redirect potential victims to pages controlled by the APT - largely standard phishing procedure. Google spotted Ghostwriter launching phishing campaigns against both Ukrainian and Polish military and government entities.
Google reported that a number of domains used for credential phishing have already been blocked through Google's "safe browsing" functionality. The domains included unusual names such as "i dot ua-passport dot top" and "login dot credentials-email dot space".
Mustang Panda takes advantage of current refugee situation
Meanwhile, China's Mustang Panda is sending out phishing lures to European entities, attaching malicious files in the emails with names suggesting some sort of important information or urgency. Google's report mentions attachments with file names such as "Situation at the EU borders with Ukraine.zip". The attachment would contain an executable file that works as a downloader for the final payload.
Google's Threat Analysis Group has already made the necessary arrangements and has notified all entities and authorities in the countries targeted by the phishing campaigns.