Escalation in Cyber Threats Targeting Critical Infrastructure and Governments in Ukraine
In the wake of the ongoing Ukraine invasion, security researchers are expressing concerns over heightened hybrid attacks. These attacks, which often combine cyber and traditional warfare tactics, are becoming a significant concern.
One such threat actor, Ghostwriter, believed to be linked to Belarus, has been targeting Gmail accounts in credential phishing campaigns against high-risk individuals in Ukraine. Microsoft security researchers have reported at least 237 attacks, linked to six state-aligned actors, since before the invasion.
Google's Threat Analysis Group (TAG) has reported an increase in phishing and malware campaigns against critical infrastructure, government, and other targets in Eastern Europe, attributed to Russia's invasion. Notably, APT28, or Fancy Bear, a threat actor linked to the Russian Main Intelligence Directorate (GRU), has been using a new malware variant against targets in Ukraine.
Turla, a threat actor attributed to the Russian Federal Security Service, has been targeting defense and cybersecurity organizations in the Baltics. Meanwhile, Curious Gorge, a threat actor linked to the People's Liberation Army Strategic Support Force in China, has targeted government, military, logistics, and manufacturing sectors in Ukraine, Central Asia, and Russia.
Criminal threat actors and others with financial motives are also leveraging the conflict to target users. For instance, Coldriver, a Russia-based threat actor also known as Callisto, has sent credential phishing emails to Google and non-Google accounts, targeting government and defense officials, nongovernmental organizations, journalists, and think tanks.
In recent weeks, the threat activity has increased, targeting oil and gas, telecommunications, and manufacturing companies. The use of current events and conflicts by threat actors to launch attacks is a common tactic in cyber warfare.
In an effort to protect users, websites and domains associated with the aforementioned threat actors have been added to Google Safe Browsing. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has updated prior warnings about destructive wiper malware deployed prior to the February invasion.
According to a blog post from Tom Burt, corporate vice president, customer security and trust at Microsoft, about 40% of these attacks were aimed at critical infrastructure, while 32% were aimed at the Ukrainian government on a national, regional, or city level.
Google TAG has sent targeted Gmail and Google Workspace users government-backed attack alerts, underscoring the need for heightened vigilance in the digital realm. As the conflict continues, it is crucial for individuals and organizations to remain aware of the increased cyber threats and take necessary precautions to protect their digital assets.
