Security researchers warn of phishing attempts against officials helping refugees

A phishing campaign is targeting organisations trying to help Ukrainians fleeing the Russian invasion.
Written by Danny Palmer, Senior Writer

Staff at organisations involved in the efforts to aid refugees from the conflict in Ukraine have been targeted by what security researchers describe as a likely state-sponsored phishing campaign that aims to deliver malware. 

Detailed by Proofpoint, it's believed the attack exploited a compromised personal email account belonging to a member of the Ukrainian armed forces, which was then used to send targeted phishing attacks to European government workers tasked with managing transportation in Europe, as Ukrainian refugees flee the Russian invasion. 

The aim of the attacks is likely to be an attempt to gain intelligence from within NATO member countries. Researchers have tentatively linked the campaign to a hacking group known as TA445, part of a wider operation known as UNC1151, which has previously been linked to the government of Belarus.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

However, researchers also note that they've "not yet observed concrete technical overlaps which would allow us to definitively attribute this campaign". 

The initial phishing emails were detected on February 24, originating from a Ukrainian email address and sent to an undisclosed European government agency. The subject line references the emergency in Ukraine and includes an Excel file named "list of persons", which contains the malicious macros. If the macros are enabled, the document will download and install malware. 

Dubbed SunSeed, the malware appears to be a downloader designed to deliver additional payloads. It's believed that the purpose of these attacks is to track individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe, potentially with the aim of gaining intelligence about movements of funds, supplies and people.  

Researchers also note that TA445 has a history of pushing disinformation campaigns intended to generate anti-refugee sentiment and if this phishing campaign is linked to the group, the information stolen could be abused to fuel similar operations. 

Proofpoint's analysis of this phishing campaign targeting refugee aid comes following a warning by Computer Emergency Response Team for Ukraine (CERT-UA) that phishing attacks – including those believed to be of Belarusian origin – are attempting to compromise targets in Ukraine. 

It's believed the campaigns designed to target European governments and personnel involved in aiding refugees will continue as long as the war continues to displace people. 

"This campaign represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine. While the utilised techniques in this campaign are not ground-breaking individually, if deployed collectively, and during a high tempo conflict, they possess the capability to be quite effective," Proofpoint researchers said in the blog post

"Being aware of this threat and disclosing it publicly are paramount for cultivating awareness among targeted entities," they added. 

Several other phishing campaigns are also attempting to exploit the Russia-Ukraine war in what are likely attempts to steal passwords, financial information and other sensitive data, as well as potentially delivering malware. Microsoft has detailed a number of what are described as "opportunistic phishing campaigns" using tailored phishing campaigns related to Ukraine.

Ukraine faced several cyberattacks and malware campaigns in the run up to the Russian invasion, including wiper attacks targeting government networks and other organisations.  


Editorial standards