In a coordinated effort, at least three advanced persistent threat (APT) groups have initiated spear-phishing campaigns, exploiting the ongoing Russo-Ukrainian conflict as a pretext for distributing malware and extracting sensitive information. These campaigns have been attributed to the groups El Machete, Lyceum, and SideWinder, targeting sectors such as energy, finance, and government across countries including Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan.
According to a report by Check Point Research, these attackers employ a variety of deceptive tactics, using documents that appear legitimate—ranging from official reports to news articles—to lure victims. Depending on the target audience and geographic location, some of these documents utilize malicious macros or template injection techniques, enabling cybercriminals to establish an initial foothold within organizations before executing malware attacks.
El Machete, a Spanish-speaking threat actor first identified by Kaspersky in August 2014, utilizes infection chains involving macro-laden decoy documents. These documents are designed to deploy Loki.Rat, an open-source remote access trojan capable of stealing keystrokes, credentials, clipboard data, and executing arbitrary file operations. This aligns with the MITRE ATT&CK framework’s tactics such as initial access and execution.
In addition, the Iranian APT group Lyceum has reportedly initiated a phishing attack using an email themed around “Russian war crimes in Ukraine.” This email delivers stage one .NET and Golang droppers, which are crucial in deploying a backdoor capable of executing files sourced from remote servers. Such tactics reflect the APT’s emphasis on initial access and execution, akin to methodologies outlined in the MITRE ATT&CK framework.
Lastly, the state-sponsored group SideWinder, known for its alignment with Indian political interests, has targeted neighboring nations, particularly China and Pakistan. Their attack methodology utilizes weaponized documents that exploit a vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882), facilitating the distribution of information-stealing malware. This approach exemplifies the use of techniques such as exploitation of known vulnerabilities and downloading of malicious payloads outlined in the MITRE ATT&CK framework.
These findings align with warnings from Google’s Threat Analysis Group, which has observed that nation-state-backed actors from regions including Iran, China, North Korea, and Russia have increasingly leveraged conflict-related themes in their phishing efforts and other malicious campaigns. The ongoing attention devoted to the Russo-Ukrainian war serves as fertile ground for APTs aiming to exploit vulnerabilities for espionage and information theft.
As this conflict has global implications, the cybersecurity landscape remains highly dynamic. Business owners must remain vigilant, enhancing their defenses against such targeted phishing campaigns, while educating their workforce about the sophisticated methods employed by cybercriminals during this ongoing crisis.
