Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

State-Sponsored Actors Using Russia-Ukraine War for Phishing

Actors From China, Iran, North Korea and Russia Using Ukraine War-Related Themes
State-Sponsored Actors Using Russia-Ukraine War for Phishing
Example of hosting credential phishing landing pages on compromised sites (Source: Google TAG)

Researchers have observed a growing number of threat actors using the Russia-Ukraine war as a lure in phishing and malware campaigns to target the military of multiple Eastern European countries, as well as a NATO Center of Excellence.

Google's Threat Analysis Group observed that government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used themes related to the Russia-Ukraine war in an effort to get targets to open malicious emails or click on malicious links.

See Also: Small Business Firewall Guide

"Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense," says Billy Leonard of TAG.

TAG researchers also recently uncovered a full-time initial access broker group that serves both the Conti and Diavol ransomware groups. The financially motivated threat actor, dubbed Exotic Lily, was found exploiting a zero-day in Microsoft MSHTML tracked as CVE-2021-40444.

Investigating Exotic Lily's activity, researchers determined that it appeared to be working with the Russian cybercrime gang known as FIN12/Wizard Spider (see: Google Exposes Initial Access Broker Ties to Ransomware).

Magni Reynir Sigurðsson, senior manager of detection technologies at internet security company Cyren, says TAG's findings are not surprising. "Unfortunately, cybercriminals will use any world event or disaster for monetary gain, including the political unrest in Ukraine," he says.

Fresh Campaigns Identified

The TAG researchers have observed various campaign activities over the past two weeks, including campaigns by Curious Gorge, COLDRIVER and Ghostwriter.

Curious Gorge

Curious Gorge is a group that TAG researchers attribute to China's PLA SSF. It conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia.

The researchers say that the activity does not affect Google products, but remains engaged, providing notifications to victim organizations.


COLDRIVER, TAG reports, is a Russian-based actor also referred to as Calisto. This actor has launched credential phishing campaigns targeting several U.S.-based nongovernmental organizations and think tanks, the military of a Balkans country and a Ukraine-based defense contractor.

"For the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Center of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown," the researchers say.

The researchers say they have not observed any Gmail accounts successfully compromised during these campaigns. Some of the COLDRIVER credential phishing domains observed are protect-link[.]online, drive-share[.]live, protection-office[.]live and proton-viewer[.]com.


TAG also observed campaigns by the Belarusian threat actor known as Ghostwriter, including a new capability in its credential phishing campaigns (see: Belarusian Spear-Phishing Campaign Targets Ukraine Military).

"In mid-March, a security researcher released a blog post detailing a 'Browser in the Browser' phishing technique. While TAG has previously observed this technique being used by multiple government-backed actors, the media picked up on this blog post, publishing several stories highlighting this phishing capability," TAG says.

It says that the Ghostwriter operators have quickly adopted this new technique and combined it with a previously observed technique: hosting credential phishing landing pages on compromised sites.

The researchers shared an example of this new technique in which a login page appears to be on the domain, over the top of the page hosted on the compromised site. But when a user provides credentials in the dialog box, they are posted to an attacker-controlled domain.

Some of the Ghostwriter credential phishing domains observed include login-verification[.]top, login-verify[.]top, ua-login[.]top, secure-ua[.]space and secure-ua[.]top.

Sigurðsson says that TAG has observed a huge increase in newly registered domains that include the word "Ukraine" - and a large portion of them were specifically created for malicious purposes, such as crypto scamming, phishing or malware distribution.

"The team discovered in recent weeks the circulation of over 100,000 daily fake donation emails with subject lines including 'Help Ukraine' and 'Help Ukraine stop the war! - humanitarian fund raising' where the victims are under the impression that by following the included links and donating crypto they are helping Ukraine, while in reality, their donation is going straight into the scammer's wallet," he says.

Warning Issued

Last month, the Computer Emergency Response Team of Ukraine warned about a massive spear-phishing campaign targeting private accounts of Ukrainian military personnel and related individuals. CERT-UA attributes the activities to the UNC1151 group aka Ghostwriter (see: Belarusian Spear-Phishing Campaign Targets Ukraine Military).

The Minsk-based group is a state-sponsored cyberespionage actor that consists of officers of the Ministry of Defense of the Republic of Belarus (see: 'Ghostwriter' Disinformation Campaign Targets NATO Allies), which engages in credential harvesting and malware campaigns.

Sigurðsson says that before donating to any cause, take time to verify that the source is legitimate. This is easier said than done, he adds, particularly in this case, given how the official Twitter account of Ukraine is accepting donations through crypto. But he recommends doing the following:

  1. Scrutinize all emails requesting you follow a link.
  2. Look for grammatical inconsistencies, spelling errors and incorrect logos, which are all tell-tale signs of a phishing message.
  3. Do not open attachments or follow website links, particularly if related to financial donations.
  4. Bypass the middleman and go directly to legitimate websites to make donations.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.