Ukraine warns Russia-linked APT28 phishing campaign targeting military
The NCSCC became aware of the campaign on 19 January, when fake HTML pages were discovered on the ukr[.]net mail service.
Ukraine’s National Cyber Security Coordination Center (NCSCC) has issued a warning about a new phishing campaign led by the Russian-backed cybercriminal group APT28. The group specifically targets Ukrainian Defense Forces using phishing tactics to gain access to military email accounts, NCSS warned.
The phishing campaign involves creating websites resembling ukr[.]net, with slight URL differences to deceive users into entering their data.
In one instance, hackers crafted an HTML page imitating military operational information related to the Russian invasion, leading users to a fake login page. Another tactic involves sending emails claiming the account was compromised, and providing a link to reset the password. Clicking on the link launches a Browser in browser attack, embedding a fake page for entering ukr[.]net credentials. In both scenarios, stolen credentials are sent to a command and control server, where the group attempts to escalate privileges within the system.
The actor-controlled server is identified as an Ubiquiti Edge router, which is consistent with APT28’s previous use of pre-compromised Ubiquiti Edge routers in exfiltrating data during phishing campaigns.
Why does it matter?
The NCSCC’s alert, shared on various social media platforms and subsequently disseminated by Ukraine’s IT Army, underscores the persistent cyber threats amid the ongoing conflict in Ukraine.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.