Mass phishing attacks against Ukrainian citizens reported

Ukraine’s state Computer Emergency Response Team (CERT-UA) has in the present day taken to social media to warn Ukrainians of a rising variety of phishing attacks focusing on units within the nation following the invasion by Russian armed forces.

In a notice posted to Facebook, CERT-UA mentioned mass phishing emails had been noticed focusing on the accounts of Ukrainian navy personnel and associated people. It attributed the attacks to a sophisticated persistent risk (APT) group tracked as UNC1151, based mostly throughout the Belarussian Ministry of Defence in Minsk. Belarus is thought to be a shopper state of the Russian regime.

Mandiant director Ben Read, who has been monitoring UNC1151, mentioned: “We’re monitoring studies of widespread phishing of Ukrainian people by UNC1151. We are capable of tie the infrastructure reported by CERT-UA to UNC1151, however haven’t seen the phishing messages instantly. However, UNC1151 has focused Ukraine and particularly the Ukrainian navy extensively over the previous two years, so this exercise matches their historic sample. 

“These actions by UNC1151, which we believe is linked to the Belarussian military, are concerning because personal data of Ukrainian citizens and military can be exploited in an occupation scenario and UNC1151 has used its intrusions to facilitate the Ghostwriter information operations campaign. Leaking misleading, or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia and Belarus friendly narratives,” Read advised Computer Weekly in emailed feedback.

“Ghostwriter has previously targeted the Nato alliance, seeking to erode support for the organisation. I wouldn’t be surprised if similar operations were seen in the near future,” he added.

CERT-UA’s warnings were corroborated by Ukraine’s State Service of Special Communication and Information Protection (SSSCIP), whereas cyber safety agency ESET has additionally warned these exterior Ukraine to be wary of phishing attempts linked to the war.

Alongside the continuing navy invasion of Ukraine by Russian chief Vladimir Putin, authorities our bodies and different organisations throughout the nation have already been subjected to a sustained wave of cyber attacks, together with distributed denial of service (DDoS) actions, and focused, damaging intrusions with a malware dubbed HermeticWiper. These cyber attacks intensified forward of the invasion on 24 February, and present little signal of abating.

In a statement published on 23 February, previous to the kinetic assault, Ukraine’s SSSCIP mentioned: “Phishing attacks on public authorities and important infrastructure, the unfold of malicious software program, in addition to makes an attempt to penetrate non-public and public sector networks and additional damaging actions have intensified.

“Designated cyber safety groups, web service suppliers and IT groups of vital info infrastructure services work 24/7, making certain the provision and integrity of data sources.

“Today’s cyber attacks no longer even require detailed technical attribution. Attackers, without much hiding, use bot networks for phishing and DDoS attacks, which our special services unambiguously identify as connected with the secret services of the aggressor country [Russia].”

SSSCIP issued an additional enchantment to organisations in Ukraine to isolate workstations and servers that aren’t associated to vital features, replace methods and software program to essentially the most present variations, and backup knowledge to exterior storage.

At this time, whereas there’s thought-about to be no fast risk to organisations within the UK, all defenders ought to assess their present cyber safety postures and potential vulnerabilities to cyber attacks originating from Russia, notably those who might goal provide chain companions.

Reports are additionally rising that Russian organisations are actually on the receiving finish of cyber motion by unknown actors. Kentik web evaluation director Doug Madory, who has been instrumental in monitoring the sooner DDoS attacks against Ukraine, has additionally reported important outages at Russian banks Sberbank – in which Conservative MP Jacob Rees-Mogg held significant interests until recently – and Alfabank, in addition to disruption to Russian authorities web sites.

Also, a Twitter account that claims to belong to the Anonymous collective reported the group took down the website of Russian propaganda outlet RT. At the time of writing, RT’s web site is accessible from the UK.