Phishing Attacks Against Those Who Help Ukrainian Refugees

by | March 10, 2022 | Cybersecurity News

Cybercriminals used a compromised military email address to launch phishing attacks targeting EU personnel aiding Ukrainian citizens who had fled the crushing Russian invasion.

The perpetrators are believed to be located in Belarus, but how exactly they gained access to the email address is still unknown.

The Phishing Attacks Coincided With The Russian Invasion

A recent Proofpoint report details a new phishing campaign targeting EU government employees who are involved in the logistics of refugees fleeing the invasion.

“Proofpoint researchers have identified a phishing campaign originating from an email address (ukr[.]net) that appears to belong to a compromised Ukrainian armed service member,” Proofpoint wrote.

On February 24, the day Russia invaded Ukraine, researchers spotted a suspicious email spreading. Its subject was: “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.” It contained a macros-enabled Microsoft Excel (.xls) spreadsheet titled “list of persons.xlsx” that, when opened, delivered malware called SunSeed.

The address from which the phishing email originated is a Ukrainian military address. How the hackers got a hold of this email address is still unclear.

The attacks were directed specifically at certain EU personnel who were involved in managing refugee outflux. Though the targets “possessed a range of expertise and professional responsibilities,” the report wrote, “there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.”

Proofpoint’s post explains that the main goal of these attacks was “to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries.”

Threat Actors Located In Belarus

Proofpoint researchers found no solid evidence that could irrevocably tie this malicious operation to a particular attacker. However, they highlighted a series of similarities between these attacks and a July 2021 phishing campaign that hit US cybersecurity and defense organizations.

According to the report, the 2021 phishing operation “utilized a highly similar macro-laden XLS attachment to deliver MSI packages that install a Lua malware script.” Lua is the programming language in which SunSeed is coded. “Similarly, the campaign utilized a very recent government report as the basis of the social engineering content,” researchers explained.

The name of the file used in that campaign – “list of participants of the briefing.xls.” – is very similar to the one in this new wave of attacks. In addition, “the Lua script created a nearly identical URI beacon to the SunSeed sample, which was composed of the infected victim’s C Drive partition serial number. Analysis of the cryptography calls in both samples revealed that the same version of WiX had been utilized to create the MSI packages.”

These similarities could be coincidences, but chances are very slim that’s the case. This is the reason why researchers attributed both campaigns to the same threat actor, TA445, a cybercriminal group located in Minsk and connected to the Belarusian military. Belarus is a close ally of Russia. One plus one equals two.

The report concluded with a disclaimer. On balancing “responsible reporting with the quickest possible disclosure of actionable intelligence,” it wrote, “the onset of the hybrid conflict, including within the cyber domain, has accelerated the pace of operations and reduced the amount of time that defenders have to answer deeper questions around attribution and historical correlation to known nation-state operators.”

Ukraine – A Target For Both Missiles And Cyberattacks

In recent weeks, and especially amid the war, researchers have spotted many Ukraine-oriented digital attacks, adapting to the new context and using clever social engineering techniques to leverage it.

“The situation underscores two key points that every enterprise should heed,” Thomas Stoesser, AG. “One, it’s not enough simply to educate employees sporadically about common social engineering tactics. [Companies] need to put a premium on employees treating every email with healthy skepticism. Two, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof.”

Educate your employees on phishing and how to combat it with the help of one of our comprehensive Security Awareness Training plans.

Get your quote today.


by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.