Google‘s Threat Analysis Group published an update about the latest cyber activity. TAG stated that they have observed an increasing number of threat actors using the war in their phishing and malware campaigns. Various threat actors are using war-related themes to trick users to open malicious emails or click malicious links.
Impersonating military personnel
Google also stated that actors are using current events while targeting users. According to the TAG’s report, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG identifies and removes those contents. Here is a deeper look at the campaign activity TAG has observed:
- Curious Gorge, a group TAG attributes to China’s PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations. Recently observed IPs used in Curious Gorge campaigns:
- 5.188.108[.]119
- 91.216.190[.]58
- 103.27.186[.]23
- 114.249.31[.]171
- 45.154.12[.]167
- COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns. Recently observed COLDRIVER credential phishing domains:
- protect-link[.]online
- drive-share[.]live
- protection-office[.]live
- proton-viewer[.]com
- Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a ‘Browser in the Browser’ phishing technique. While TAG has previously observed this technique being used by multiple government-backed actors, the media picked up on this blog post, publishing several stories highlighting this phishing capability. Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain. Recently observed Ghostwriter credential phishing domains:
- login-verification[.]top
- login-verify[.]top
- ua-login[.]top
- secure-ua[.]space
- secure-ua[.]top