According to the Google Threat Analysis Group (TAG), a great number of threat actors are currently exploiting the event of the Russian invasion in Ukraine to launch phishing and malware cyberattacks against Eastern European and NATO countries. The cyberattacks also target Ukraine. Credential phishing cyberattacks organized by a Russian-based hacking group known as COLDRIVER against a NATO Center of Excellence and Eastern European forces are highlighted in the paper. “A Ukrainian defense contractor and many US-based non-governmental organizations (NGOs) together with think tanks were also among the targets of Russian threat actors, “
Curious Gorge, a hacking group linked to China’s PLA SSF (People’s Liberation Army Strategic Support Force), targeted government and military institutions in Ukraine, Russia, Kazakhstan, and Mongolia, according to Google security researchers.
Ghostwriter, a threat actor reportedly backed by Belarus, was seen employing a new phishing tactic called Browser in the Browser (BitB) phishing, which was publicly exposed in mid-March and has since been used by other government-sponsored APTs.
Analyst Comments:
Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique (..) draws a login page that appears to be on the passport[.]i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.
Mitigation:
A 2019 report from Microsoft concluded that 2FA works, blocking 99.9% of automated attacks. If a service provider supports multi-factor authentication, Microsoft recommends using it, even if it's as simple as SMS-based one-time passwords.
Sources:
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
https://www.zdnet.com/article/better-than-the-best-password-how-to-use-2fa-to-improve-your-security/
