Elite hacker related to Russian military intelligence service has been linked to a large-volume phishing campaign aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse on the war.
Google Threat Analysis Group (TAG), that is monitoring the actor’s activities under the name FROZENLAKE, said the attack continued the group’s “2022 focus on targeting webmail users in Eastern Europe.”
State-sponsored cyber actors, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, are very active and capable. It has been active since at least 2009, targeting media, government and military entities for espionage.
The most recent intrusion set, as of early February 2023, involves using a reflected cross-site script (XSS) attacks on various Ukrainian government websites to redirect users to phishing domains and capture their credentials.
The revelations come as UK and US intelligence and law enforcement agencies released a joint advisory alert about the APT28 attack that exploited a long-known vulnerability in Cisco routers to spread malware known as Jaguar Tooth.
FROZENLAKE is far from the only actor to focus on Ukraine since Russia’s military invasion of the country just over a year ago. Another well-known adversary collective is FROZENBARENTS – aka Sandworm, Seashell Blizzard (née Iridium), or Voodoo Bear – which have been involved in ongoing efforts to target organizations affiliated with the Caspian Pipeline Consortium (CPC) and other energy sector entities in Eastern Europe.
Both groups have been linked to the General Staff Main Intelligence Directorate (GRU), with APT28 linked to military intelligence unit 85th Special Service Center (GTsSS) 26165. Sandworm, on the other hand, is believed to be part of GRU Unit 74455.
Credential harvesting campaigns target BPK employees with phishing links sent via SMS. The attack on energy vertically distributed links to bogus Windows update packages eventually executed an information thief known as Rhadamanthys to exfiltrate browser passwords and cookies.
FROZENBARENTS, dubbed “GRU’s most versatile cyber actor”, has also been observed launching credential phishing attacks targeting Ukraine’s defense industry, military, and webmail users Ukr.net starting in early December 2022.
Threat actors are said to have created further online personas on YouTube, Telegram, and Instagram to spread pro-Russian narratives, leak stolen data from compromised organizations, and post targets for distributed denial-of-service (DDoS) attacks.
“FROZENBARENTS has targeted users associated with popular channels on Telegram,” said TAG researcher Billy Leonard. “Phishing campaigns are sent via Telegram fake emails and SMS to steal credentials, sometimes targeting users who follow pro-Russian channels.”
The third threat actor is PUSHCA (aka Ghostwriter or UNC1151), a Belarusian government-backed group known to act on behalf of Russian interests, a phishing attack that targeted Ukrainian webmail providers such as i.ua and meta.ua to siphon credentials.
Google TAG also highlights a series of attacks that the group behind the Cuban ransomware has set up to spread RAT RomCom in the Ukrainian government and military network.
“This is a big change from these actors’ traditional ransomware operations, behaving more similarly to actors conducting intelligence gathering operations,” said Leonard.