Google sees an increase in cyber attacks in Eastern Europe
Eastern European countries are increasingly affected by cyber attacks. State hackers from Russia and China, among others, have increased the number of digital attacks in recent months. Ukraine is a common target, but Russian authorities are also increasingly being victims.
Billy Leonard of Google’s Threat Analysis Group (TAG) reports this in a blog post.
‘Continuously growing number of threat actors’
The security researchers at the search giant are closely monitoring the war in Ukraine, and cybersecurity activities in particular. The researchers published a report on the state of affairs every quarter, but sometimes more often.
Since the last report, the group has observed “a continuously growing number of threat actors”. They abuse the war for phishing and malware campaigns. They increasingly target companies and organizations in the vital sector, including telecom companies, utility suppliers and oil and gas companies.
According to Google, the attackers are state hackers from Russia, China, Iran and North Korea. They use the war to incite their victims to open emails with rogue URLs. Cybercriminals are also trying to cash in on the misery that is happening in Ukraine.
Spam and phishing campaigns
In recent months, TAG has not observed any major shifts in Eastern Europe. One of the hacker groups that was active in this region in the past quarter is APT28, also known as Fancy Bear. According to security researchers, this group has close ties with the Russian military intelligence service GRU.
The hackers spread malware through email attachments. It contains a password-protected zip file. Once the file is opened, the software collects cookies and passwords stored in Google Chrome, Microsoft Edge, and Mozilla Firefox web browsers. This data is then forwarded to a compromised email account.
Another group that regularly carries out cyberattacks in Eastern Europe is Turla. Commissioned by the Russian intelligence service FSB, they carry out spam campaigns against defence and cybersecurity organizations in the Baltic states. Each target receives an email with a unique URL that leads to a .docx file on a hacker-controlled infrastructure. When the Word file opens, it attempts to download an infected PNG file.
Google Safe Browsing blocks dangerous phishing domains
Like APT28 and Turla, COLDRIVER is a hacker group affiliated with Russia. They use Gmail accounts to steal login credentials. This tactic is also known as credential phishing. The hackers have targeted Eastern European politicians, government officials, think tanks, journalists and non-governmental organizations (NGOs).
The working method of this group has shifted in recent months. They no longer send emails containing URLs to phishing sites to their targets. Instead, they refer in their posts to rogue PDF and Word files hosted on Google Drive and Microsoft OneDrive. These files contain a link to a phishing domain that is controlled by the hackers. Google Safe Browsing blocks these domains.
Chinese state hackers target Russian targets
Another group that has remained active in recent months is GhostWriter. It is a hacker collective associated with President Alexander Lukashenko of Belarus. Like COLDRIVER, GhostWriter has attempted to steal login credentials through Gmail accounts. The emails the group sent contained a malicious link. This redirected the recipients to a phishing page. Through this page, the hackers tried to collect user data. Google says no accounts have been compromised.
GhostWriter is a notorious hacker group. The group tried to influence the parliamentary elections in Germany last year by spreading disinformation through social media. In addition, the attackers ran phishing campaigns on politicians to take over their accounts.
One last group that Google mentions is Curious Gorge. This group has ties to the Chinese military. As in the past quarter, the Chinese hackers’ attacks have targeted government agencies, military units and logistics agencies in Ukraine, Russia and Central Asia. The Russian Ministry of Foreign Affairs and various Russian defence contractors and manufacturers were among the targets.
Russian hackers responsible for hundreds of cyber attacks
Hundreds of cyber-attacks have been carried out since the first Russian tanks invaded Ukraine. Not only in Ukraine but also in Russia and the Baltic States. According to Microsoft, six Russian hacker groups have already carried out at least 237 attacks against Ukraine. An attempt was made to paralyze government services and companies in the vital sector. There are also examples of espionage and spreading misinformation.
Catch up on more articles here
Follow us on Twitter here