Phishing Attack in Ukraine Could Be Prelude to Disinformation Campaign

One indication of the wide scope of cyberattacks in Ukraine is a phishing campaign focused on breaking into email accounts of the country's military personnel and potentially using them to spread disinformation.

The campaign is being carried out by UNC1151, a threat group that was originally thought to be Russia-based but which Mandiant last November linked to the government of Belarus and its military intelligence group.

Ukraine's Computer Emergency Response Team (CERT-UA) Friday reported that the hacking group was sending mass phishing emails to the accounts of members of the country's military and those associated with them. When the group has been able to compromise an account, it has accessed the victim's email messages and used contact details from their address books to send more phishing emails. CERT-UA's alert described UNC1151 as a Minsk-based group whose members are officers of Belarus' ministry of defense.

In a statement, Mandiant director Ben Read said the company's researchers are monitoring reports of UNC1151 conducting widespread phishing of Ukrainian individuals. The security vendor said that it had not seen the phishing emails being used in the campaign but was able to the tie the infrastructure that CERT-UA reported to UNC1151. The activity is consistent with the threat actor's extensive targeting of the Ukrainian military over the past two years, Mandiant said.

"These actions by UNC1151, which we believe is linked to the Belarussian military, are concerning because personal data of Ukrainian citizens and military can be exploited in an occupation scenario" to spread disinformation, Read said. "Leaking misleading or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia and Belarus friendly narratives," Read warned.

Mandiant's concerns about UNC1151's latest phishing campaign in Ukraine are tied to the group's connection with GhostWriter, a large disinformation campaign that’s been going on for more than four years. The GhostWriter campaign's primary focus has been to spread false narratives about US and NATO interests in Eastern Europe. Examples include fake news articles about NATO nuclear weapons deployment in the region, alleged war crimes by NATO troops, and stories about NATO troops spreading COVID-19 in Eastern Europe.

Weeks before Mandiant's report linking UNC1151 to Belarus, the Council of the European Union and the German government formally identified Russia as the operator of the Ghostwriter campaign. That assessment followed a series of cyberattacks that the German government determined were designed to influence the outcome of its parliamentary elections last September.

Mandiant itself has noted that while it has been able to link UNC1151 and GhostWriter to Belarus, the company could not rule out involvement by other countries, particularly Russia. Mandiant has pointed to the close relationship between the Russian and Belarussian governments and the former's strong cyber espionage and information operations capabilities as an explanation for its assessment.

Like Mandiant, security vendor RiskIQ also reported that it is monitoring UNC1151 activity. In an advisory, RiskIQ said it had analyzed the phishing domains that CERT-UA identified UNC1151 as using in the most recent phishing campaign. That analysis led to the discovery of more than three dozen similar additional phishing domains that the threat actor is currently using or may have used in the past, RiskIQ said.

"RiskIQ was able to identify additional domains and infrastructure associated with the campaign based off the information the CERT-UA provided in their original post," says Steve Ginty, director, threat intelligence at RiskIQ. "But we do not have insight into the phishing emails being sent at this time." Historically the UNC1151 group has registered typo-squatting domains spoofing mail providers and generic login pages in order to harvest victims' login credentials, he adds.