O.Farion - stock.adobe.com
Ukraine’s state Computer Emergency Response Team (CERT-UA) has today taken to social media to warn Ukrainians of a growing number of phishing attacks targeting devices in the country following the invasion by Russian armed forces.
In a notice posted to Facebook, CERT-UA said mass phishing emails had been observed targeting the accounts of Ukrainian military personnel and related individuals. It attributed the attacks to an advanced persistent threat (APT) group tracked as UNC1151, based within the Belarussian Ministry of Defence in Minsk. Belarus is regarded as a client state of the Russian regime.
Mandiant director Ben Read, who has been tracking UNC1151, said: “We’re monitoring reports of widespread phishing of Ukrainian individuals by UNC1151. We are able to tie the infrastructure reported by CERT-UA to UNC1151, but have not seen the phishing messages directly. However, UNC1151 has targeted Ukraine and especially the Ukrainian military extensively over the past two years, so this activity matches their historical pattern.
“These actions by UNC1151, which we believe is linked to the Belarussian military, are concerning because personal data of Ukrainian citizens and military can be exploited in an occupation scenario and UNC1151 has used its intrusions to facilitate the Ghostwriter information operations campaign. Leaking misleading, or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia and Belarus friendly narratives,” Read told Computer Weekly in emailed comments.
“Ghostwriter has previously targeted the Nato alliance, seeking to erode support for the organisation. I wouldn’t be surprised if similar operations were seen in the near future,” he added.
CERT-UA’s warnings were corroborated by Ukraine’s State Service of Special Communication and Information Protection (SSSCIP), while cyber security firm ESET has also warned those outside Ukraine to be wary of phishing attempts linked to the war.
Alongside the ongoing military invasion of Ukraine by Russian leader Vladimir Putin, government bodies and other organisations within the country have already been subjected to a sustained wave of cyber attacks, including distributed denial of service (DDoS) actions, and targeted, destructive intrusions with a malware dubbed HermeticWiper. These cyber attacks intensified ahead of the invasion on 24 February, and show little sign of abating.
In a statement published on 23 February, prior to the kinetic attack, Ukraine’s SSSCIP said: “Phishing attacks on public authorities and critical infrastructure, the spread of malicious software, as well as attempts to penetrate private and public sector networks and further destructive actions have intensified.
Read more about cyber warfare in Ukraine
- A wave of DDoS attacks, and a second data wiper attack, were seen hitting Ukraine in the hours leading up to the Russian invasion.
- Intelligence officials say they have no evidence or indication that Russian cyber attackers are preparing offensive assaults on infrastructure or organisations in Britain.
- A series of DDoS attacks on Ukrainian defence and banking organisations last week is now being firmly attributed to Russian action.
“Designated cyber security teams, internet service providers and IT teams of critical information infrastructure facilities work 24/7, ensuring the availability and integrity of information resources.
“Today’s cyber attacks no longer even require detailed technical attribution. Attackers, without much hiding, use bot networks for phishing and DDoS attacks, which our special services unambiguously identify as connected with the secret services of the aggressor country [Russia].”
SSSCIP issued a further appeal to organisations in Ukraine to isolate workstations and servers that are not related to critical functions, update systems and software to the most current versions, and backup data to external storage.
At this time, while there is considered to be no immediate threat to organisations in the UK, all defenders should assess their current cyber security postures and potential vulnerabilities to cyber attacks originating from Russia, particularly those that may target supply chain partners.
Reports are also emerging that Russian organisations are now on the receiving end of cyber action by unknown actors. Kentik internet analysis director Doug Madory, who has been instrumental in tracking the earlier DDoS attacks against Ukraine, has also reported significant outages at Russian banks Sberbank – in which Conservative MP Jacob Rees-Mogg held significant interests until recently – and Alfabank, as well as disruption to Russian government websites.
Also, a Twitter account that claims to belong to the Anonymous collective reported the group took down the website of Russian propaganda outlet RT. At the time of writing, RT’s website is accessible from the UK.