Google’s Menace Evaluation Group (TAG) has been monitoring and disrupting Russian state-backed cyberattacks focusing on Ukraine’s essential infrastructure in 2023.
Google reviews that from January to March 2023, Ukraine acquired roughly 60% of the phishing assaults originating from Russia, making it essentially the most distinguished goal.
Typically, the marketing campaign targets embrace intelligence assortment, operational disruptions, and leaking delicate knowledge by Telegram channels devoted to inflicting info harm to Ukraine.
Menace teams lively in Ukraine
Google’s TAG lists three Russian and Belarusian menace actors who had notable exercise within the first quarter of the yr in opposition to Ukrainian targets.
The primary is Sandworm, tracked by Google as “FrozenBarents,” which has targeted its assaults on the vitality sector throughout Europe since November 2022, with a highlighted case involving the Caspian Pipeline Consortium (CPC).
Sandworm has recently launched a number of phishing campaigns utilizing spoofed “Ukroboronprom” web sites in opposition to staff within the Ukrainian protection business, customers of the Ukr.internet platform, and even Ukrainian Telegram channels.
The menace group additionally creates a number of on-line personas to disseminate false info on YouTube and Telegram, typically leaking components of the info they steal by phishing or community intrusions.
One other highly-active Russian menace actor is APT28, tracked by Google as “FrozenLake.”
Between February and March 2023, APT28 despatched out a number of giant waves of phishing emails focusing on Ukrainians. The hackers additionally used mirrored cross-site scripting (XSS) on Ukrainian authorities web sites to redirect guests to phishing pages.
This week, a joint announcement by the UK NCSC, FBI, NSA, and CISA warned that APT28 is hacking Cisco Routers to install custom malware.
The third menace actor highlighted in Google’s report is “Pushcha,” which is believed to be based mostly in Belarus, a rustic that’s politically aligned with the Kremlin.
Pushcha has just lately launched campaigns that focus on Ukrainian webmail suppliers like “i.ua” and “meta.ua,” trying to steal the customers’ credentials by organising phony websites.
Google’s report additionally highlights instances of misinformation on its platforms, like YouTube and Blogger.
“Within the first quarter of 2023, TAG noticed a coordinated IO marketing campaign from actors affiliated with the Web Analysis Company (IRA) creating content material on Google merchandise akin to YouTube, together with commenting and upvoting one another’s movies,” reads the Google TAG report.
The IRA (Glavset) is a Russian firm linked to Wagner Group’s proprietor, Y. Prigozhin, participating in on-line propaganda and affect operations on behalf of Russian political pursuits.
Google reviews that it has been observing and blocking IRA-linked accounts creating content material on YouTube Shorts to advertise particular “news-like” narratives concerning the warfare in Ukraine to Russian home audiences.
All web sites linked to the talked about campaigns have been added to Google’s “Protected Searching” blocklist, whereas focused Gmail and Workspace customers acquired alerts notifying them about malicious communications.