Phishing Campaign Targeted Those Aiding Ukraine Refugees

Cyberattackers used a compromised Ukrainian military email address to phish EU government employees who’ve been involved in managing the logistics of refugees fleeing Ukraine, according to a new report.

Ukraine has been at the center of an unprecedented wave of cyberattacks in recent weeks and months, from distributed denial-of-service (DDoS) campaigns against organizations and citizens to attacks against national infrastructure and more. This time, attackers went after aides in the EU, leveraging breaking news in the Russian invasion of Ukraine to entice targets into opening emails containing Microsoft Excel files laced with malware.

Researchers attributed the phishing attempt to TA445 (aka UNC1151 or Ghostwriter). TA445 has previously been linked with the government of Belarus.

Attack Coincided with Russia’s Invasion

On Wednesday, Feb. 23, NATO convened an emergency meeting regarding the impending Russian invasion of Ukraine.

The following day – the day Russia invaded Ukraine – researchers detected a suspicious email making the rounds. Its subject: “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.” It contained a macros-enabled Microsoft Excel (.xls) spreadsheet titled “list of persons.xlsx” that, when opened, delivered malware called SunSeed.

The email originated from a ukr.net address, which is a Ukrainian military email address. Oddly enough, the researchers were able to trace the address to a publicly available procurement document for a Stihl-brand lawn mower, purchased back in 2016. The order was made by “Військова частина А2622,” a military unit based in Chernihiv, Ukraine. Exactly how the attackers obtained access to a military email address is not clear.

This phishing targeted a very specific group of European government personnel involved in managing the outflux of refugees from Ukraine. Though the targets “possessed a range of expertise and professional responsibilities,” the report noted, “there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.”

The goal in targeting these specific individuals was “to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries,” according to the report.

Attackers Tied to Belarus, Russia by Extension

The report noted that no “concrete” evidence can “definitively” tie this campaign to a particular threat actor. Still, the researchers noted a bevy of similarities between this phishing campaign and another campaign from July of last year that targeted U.S. cybersecurity and defense companies.

The July campaign “utilized a highly similar macro-laden XLS attachment to deliver MSI packages that install a Lua malware script,” according to Proofpoint researchers. Lua is the programming language in which SunSeed is coded. “Similarly, the campaign utilized a very recent government report as the basis of the social engineering content,” they added.

The file name in that campaign – “list of participants of the briefing.xls.” – bears striking resemblance to the one used in this new campaign. Furthermore, “the Lua script created a nearly identical URI beacon to the SunSeed sample, which was composed of the infected victim’s C Drive partition serial number. Analysis of the cryptography calls in both samples revealed that the same version of WiX 3.11.0.1528 had been utilized to create the MSI packages.”

These overlaps allowed the researchers to conclude with moderate confidence that the two campaigns were perpetrated by the same threat actor: TA445. According to Mandiant, the group is based in Minsk, connected to the Belarusian military, and conducts its business in the interests of the Belarusian government. Belarus is a close ally of Russia.

The researchers concluded with a disclaimer. On balancing “responsible reporting with the quickest possible disclosure of actionable intelligence,” they wrote, “the onset of hybrid conflict, including within the cyber domain, has accelerated the pace of operations and reduced the amount of time that defenders have to answer deeper questions around attribution and historical correlation to known nation-state operators.”

Ukraine’s Unprecedented Cyber Targeting

This phishing campaign isn’t the worst Ukraine-oriented cyberattack in recent weeks, or even recent days. Still, the researchers noted that “while the utilized techniques in this campaign are not groundbreaking individually, if deployed collectively, and during a high tempo conflict, they possess the capability to be quite effective.”

Thomas Stoesser, of comforte AG, told Threatpost via email that this attack “shows just how ruthless and clever threat actors can be in adapting existing social engineering tactics.”

“The situation underscores two key points that every enterprise should heed,” he added. “One, it’s not enough simply to educate employees sporadically about common social engineering tactics. [Companies] need to put a premium on employees treating every email with healthy skepticism. Two, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof.”

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVEThreatpost eventsked for Thurs., March 10 at 2PM ET. Join Sonatype codeexpert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.