Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts

Hacking operations are using lures related to Russia's invasion of Ukraine to trick people into falling victim to phishing emails and scams.
Written by Danny Palmer, Senior Writer

Hostile hacking groups are exploiting Russia's invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more from victims around the world. 

According to cybersecurity researchers at Google's Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber-criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyberattacks. 

In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that's stealing information, stealing money, or something else. 

SEE: Ukraine is building an 'IT army' of volunteers, something that's never been tried before

Among these are a Russian-based hacking group that Google refers to as Coldriver, but also know as Calisto. Their targets have included several US-based NGOs and think tanks, military of multiple Eastern European countries, the military of a Balkans country, a Ukraine-based defense contractor, as well as a NATO Centre of Excellence. 

The campaigns use newly created Gmail accounts to send phishing emails. The links are designed to steal usernames and passwords from victims, something that the attackers could use to commit espionage or potentially plant malware.

Another hacking threat that Google says is attempting to exploit the Russian invasion of Ukraine is Ghostwriter, a cyber-threat group working out of Belarus. Ghostwriter's phishing attacks simulate a browser within the browser in order to spoof legitimate domains, exploiting this to host websites designed to steal login credentials.  

Once a user enters their username and password, the details are sent to a domain controlled by the attacker, where they are stored and can be exploited to conduct further attacks in future. 

Google also warns about campaigns by a hacking group referred to as Curious Gorge, which is linked to the People's Liberation Army Strategic Support Force, the cyber and electronic warfare branch of the Chinese military. 

According to TAG, Curious Gorge is using lures related to Russia's invasion of Ukraine and has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. 

But it isn't just governments that are looking to exploit the interest and confusion around the war to commit cyberattacks. Criminals have been getting in on the action, too. Google notes that one cyber-criminal operation is impersonating military personnel and demanding payments for rescuing relatives stuck in Ukraine.  

"We'll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks," said Billy Leonard, security engineer at Google's Threat Analysis Group.  

Google notes that ransomware groups are still operating as normal. 


Editorial standards