Google: hackers linked to Russia, China, Belarus target Ukraine, Europe

According to Google’s Threat Analysis Group (TAG), a number of cyberattacks have been carried out by entities linked with Russia, Belarus, and China over the past two weeks, ranging from espionage to phishing campaigns.

TAG claims that the Russia-linked FancyBear hacking group (also known as APT28) has carried out multiple massive credential phishing attempts aimed at ukr.net users. The phishing emails were sent from different hacked accounts and contained links to attacker-controlled domains. The attackers used newly-created Blogspot domains as the initial landing pages, which then redirected targets to credential phishing pages.

Increased activity by Ghostwriter (also known as UNC1151), a hacking group previously linked with Belarus, was also observed by TAG. In recent weeks, the group has undertaken credential phishing attacks against Polish and Ukrainian government and military entities. TAG identified campaigns targeting webmail users from numerous providers.

Mustang Panda, alias Temp.Hex, a China-linked hacker group, targeted European entities with malware attachments with file names such as ‘Situation at the EU-Ukraine Borders.zip’. When opened, the zip file contains an executable with the same name that downloads multiple extra files that then load the final payload.
TAG noted that they are still observing DDoS attempts against various Ukrainian sites, including the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as services such as Liveuamap, aimed at helping people find information.