Ukraine Facing Phishing Attacks, Information OperationsRussia's Invasion Tactics Include Creating Fake Hacktivist Groups, Researchers Find
The Russian government continues to use an array of phishing attacks and information operations, including hack-and-leak efforts, to support its invasion of Ukraine, researchers reported.
The Russian government's military and intelligence cyber forces remain active against Ukraine, and attackers are "attempting to cause disruption of critical infrastructure while also trying to influence the narrative," Jurgen Kutscher, an executive with Google's Mandiant incident response group, said in a blog post.
Researchers from Google's Threat Analysis Group reported that in the first quarter of this year, 60% of observed phishing attacks launched by Russia targeted users in Ukraine. Phishing attacks via email sometimes use fake Windows updates as bait. Targets have also received links to phishing sites delivered over SMS. Attackers have followed up successful attacks by downloading information-stealing malware, leading to the theft of data and credentials, including browser cookies (see: Phishing Campaign Tied to Russia-Aligned Cyberespionage).
Last year, phishing dominated the types of online attacks being launched by Russia, Google recently reported (see: Ukraine Withstands Torrent of Russian Cyberattacks).
While wiper attacks skyrocketed at the start of 2022, they declined not long after Russia intensified its invasion on Feb. 24, 2022, apparently giving way to increased cyberespionage activity, in which Russia's GRU military intelligence agency had a primary hacking role, researchers have found.
"Since the outset of the war in Ukraine, the GRU has attempted to conduct successive and almost constant campaigns of cyberespionage and disruption aimed against key services and organizations within Ukraine," Mandiant said in a new report. "This balance of access to and action against targeted organizations relies on the compromise of edge infrastructure such as routers and other internet-connected devices."
Google ties many of these cyber operation and espionage efforts to the GRU's Sandworm group, aka Telebots, Voodoo Bear, Iron Viking and FrozenBarents. Sandworm's offensive capabilities include "credential phishing, mobile activity, malware, external exploitation of services and beyond," while its target selection often focuses on sectors of interest to Russian intelligence, "including government, defense, energy, transportation/logistics, education and humanitarian organizations," Google said.
Sandworm began exploiting vulnerabilities in Exim mail transfer agent software to seize control of mail servers since at least April 2019, the U.S. Cybersecurity and Infrastructure Security Agency reported in 2020.
These Exim MTA-targeting attacks continue, and "compromised hosts have been observed accessing victim networks, interacting with victim accounts, sending malicious emails and engaged in information operations activity," Google said.
Fancy Bear Attacks
During the Russia-Ukraine war, another GRU hacking team tied to a number of attacks is APT28, aka Fancy Bear, FrozenLake and Strontium. Researchers said the group's attacks remain ongoing this year and often leverage known vulnerabilities.
In a joint alert issued Tuesday, U.S. and U.K. government agencies warned that APT28 "has been observed taking advantage of poorly configured networks and exploiting a known vulnerability to deploy malware and access Cisco routers worldwide." Officials said the attacks exploited a vulnerability patched in 2017 to amass U.S., European and Ukrainian victims, primarily for reconnaissance purposes, at least as recently as 2021.
Since the start of the year, Google says it has seen the group using phishing emails to target victims as well as reflected cross-site scripting, which involves reflecting a malicious script off of a web application to a user's browser, to redirect victims to short-lived phishing domains designed to steal their credentials. In many cases, researchers found these domains were being hosted on compromised Ubiquiti network devices.
Hacktivists' Impact Overstated
Hacktivist groups also remain part of Russia's cyber operations playbook, although Ukraine's State Cyber Protection Center reported that attacks tied to such groups have declined.
Compared to the end of 2022, in the first quarter of this year, "the number of attacks organized by pro-Russian hacktivist groups targeting the commercial, financial, government and local authorities as well as the security and defense sectors has significantly decreased," it found.
"At the same time, the intensity of cyberattacks targeting the energy and media sectors remains at the same level," and information operations advancing a pro-Russia and anti-West narrative remain strong, it said.
While pro-Russian hacktivist groups such as KillNet claim to be independent, experts say at least some are government fronts. On Wednesday, Google reported it has now firmly attributed one such group - CyberArmyofRussia, aka CyberArmyofRussia_Reborn, which operates Instagram, YouTube and Telegram channels - to the GRU. The persona's Telegram channel has been regularly used to leak data stolen from Ukraine and post targets for distributed denial-of-service attacks.
Researchers say the actual impact of hacktivist groups - government-run or otherwise - on the conflict, at least via hacking, appears to remain minimal.
"Hacktivist groups really have failed to augment Russia's cyber capabilities," Alexander Leslie, an associate threat intelligence analyst at Recorded Future, told Information Security Media Group last month.
"Even given some attribution of these groups to Russian nation-state hackers" and the potential hacking power that might bring, hacktivist groups appear to have done little more than support information operations, he said.