The ongoing digital conflict linked to Russia’s invasion of Ukraine has escalated, with various threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, engaging in phishing campaigns targeting not only Ukraine but also Poland and other European nations. These cyber threats come as the geopolitical landscape remains tense, highlighting the cybersecurity risks faced by businesses and government entities in these regions.
Google’s Threat Analysis Group (TAG) reported the takedown of two Blogspot domains exploited by Fancy Bear—also known as APT28, a group with ties to Russia’s GRU military intelligence. These domains served as landing pages for social engineering attacks aimed at deceiving victims into divulging sensitive information. This action was taken shortly after alerts from the Computer Emergency Response Team of Ukraine (CERT-UA), which warned users of Ukr.net about phishing attempts leveraging compromised accounts to redirect victims to credential harvesting sites.
Webmail users across multiple platforms, including Ukr.net, Yandex.ru, and others, have been targeted by Ghostwriter, a Belarusian cyber actor. Shane Huntley, director of Google TAG, indicated that this group has also conducted credential phishing campaigns against government and military organizations in both Poland and Ukraine over the past week. The attacks employ techniques often cataloged within the MITRE ATT&CK framework, including initial access via phishing and credential dumping.
CERT-UA subsequently revealed a significant cyber assault attributed to Ghostwriter, which involved deploying a malware known as MicroBackdoor. This malware was delivered to compromised systems disguised as a Microsoft Compiled HTML Help file, demonstrating a sophisticated method of stealthy infiltration typical of advanced persistent threats.
Meanwhile, Mustang Panda, a China-based threat actor, has attempted to infiltrate targeted European entities using tactics related to the ongoing Ukrainian crisis. This group was previously linked to a multi-year campaign against diplomatic sectors in Europe, underscoring the global nature of current cyber threats. Enterprise security firm Proofpoint confirmed these findings, detailing how these actors utilized phishing tactics to facilitate their operations.
The broader context reveals a surge in distributed denial-of-service (DDoS) attacks aimed at Ukrainian websites, including those of key government ministries and independent services like Liveuamap. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) reported that some of the most powerful DDoS attacks peaked at over 100 Gbps. Despite such relentless assaults, Ukrainian government websites have remained operational, indicating resilience amidst sustained cyber onslaughts.
Amidst the chaos, the Anonymous hacking collective claimed responsibility for taking down the Russian Federal Security Service’s website and disrupting live broadcasts from Russian television networks, reflecting the active countermeasures employed by various non-state actors in response to state-sponsored cyber aggression.
This evolving landscape is further complicated by Russia’s recent actions to restrict internet access within its borders, coinciding with many U.S.-based tech companies severing ties with Russian entities. This move has created what some are calling an “iron curtain,” limiting online resources and communication options for Russian citizens.
As businesses assess their vulnerabilities, it is critical to remain vigilant against these multifaceted cyber threats. Understanding the tactics outlined in the MITRE ATT&CK framework can assist organizations in fortifying their defenses against both state-sponsored and independent cyber attacks, which continue to evolve in complexity and execution.
