Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a warning regarding cyber attacks orchestrated by Belarusian state-sponsored hackers, aimed at military personnel and associated individuals amid the ongoing conflict in Ukraine. This phishing campaign is significant as it targets accounts affiliated with the Ukrainian military, specifically personal accounts hosted on ‘i.ua’ and ‘meta.ua.’
CERT-UA reported that numerous phishing emails have been detected, suggesting attackers employ social engineering tactics designed to compromise these accounts. Upon gaining access, hackers utilize the IMAP protocol to obtain and exploit all stored messages. This breach enables them to leverage contacts within the victim’s address book, further spreading phishing attempts to additional targets.
The Ukrainian government has attributed these malicious activities to a group designated as UNC1151, identified as a Minsk-based entity associated with the Belarusian Ministry of Defence. In an update, CERT-UA pointed out that UNC1151 not only aims its efforts at Ukrainian individuals but also targets its own citizens and entities within Russia. These include various organizations such as the Association of Belarusians of the World, the Belarusian Music Festival, and local media such as the Soviet Belarus newspaper.
Mandiant classified UNC1151 as an uncategorized threat cluster acting in alignment with the geopolitical interests of the Belarusian government, noting the group’s operational history dating back to at least 2016. Their activities have extended across multiple jurisdictions, particularly within Ukraine, the Baltic states, and other European nations. The group’s actions also encompass cyber espionage efforts targeting dissidents, media outlets, and journalists.
Furthermore, the cyber espionage capabilities of UNC1151 seem coupled with disinformation endeavors, such as the Ghostwriter campaign that aimed at delegitimizing NATO and fostering anti-government sentiment in nearby countries. Recent incidents, including defacement attacks on Ukrainian governmental websites that disseminated hostile messaging, have also been linked back to this threat actor.
This uptick in malicious activity coincides with rampant data wiper and distributed-denial-of-service (DDoS) attacks directed at Ukrainian governmental infrastructures. Various hacking factions and ransomware groups exploit the ongoing strife to further their agendas, creating a complex cybersecurity threat landscape.
Among those actively opposing the Russian government is the hacktivist collective known as Anonymous, which has declared a cyber offensive against Moscow, asserting attacks against civilian infrastructure and government websites. Concurrently, hacktivist groups like GhostSec have claimed responsibility for multiple DDoS operations against Russian military sites, further showcasing the division within the hacking community as they align with opposing geopolitical sides.
On the other hand, the notorious Conti ransomware group has publicly aligned its operations with the Russian government, threatening counterattacks against perceived adversaries. Despite later (contextually ambiguous) claims of not siding with any government, their statements reveal a troubling inclination towards retaliatory measures against any cyber activities targeting Russian assets.
These developments have prompted the Ukrainian government to form a volunteer “IT Army,” rallying skilled digital practitioners to engage in cyber operations against Russian targets. Minister for Digital Transformation Mykhailo Fedorov announced on social media the need for digital talents as they prepared to launch coordinated cyber offensives against Russian and Belarusian corporate and governmental entities.
The situation underscores the dynamic and troubling interplay between state-sponsored cyber efforts and independent hacktivist groups, creating a hybrid environment of conflict that poses significant cybersecurity risks across the region. As hostile actions continue, business owners and professionals must remain vigilant in their cybersecurity posture, drawing insights from threats associated with tactics catalogued in the MITRE ATT&CK framework, particularly in regards to initial access, credential theft, and phishing techniques.
