Security News > 2022 > March > Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks
Ghostwriter - a threat actor previously linked with the Belarusian Ministry of Defense - has glommed onto the recently disclosed, nearly invisible "Browser-in-the-Browser" credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine.
In a Wednesday post, Google's Threat Analysis Group said that they'd already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month.
D0x - who posted a description of BitB. Ghostwriter actors quickly picked up on BitB, combining it with another of the advanced persistent threat's phishing techniques: namely, hosting credential-phishing landing pages on compromised sites.
Since early March, Ghostwriter's use of BitB is only one of a trio of cyber aggressions that TAG has been tracking with regards to Russia's invasion of Ukraine.
Besides Ghostwriter's BitB campaigns, TAG has spotted a group it's calling Curious Gorge that it attributes to China's PLA SSF conducting campaigns against government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia.
5.188.108[.]119. 91.216.190[.]58. 103.27.186[.]23. 114.249.31[.]171. 45.154.12[.]167. COLDRIVER. Finally, TAG has also observed COLDRIVER - a Russia-based threat actor, sometimes referred to as Calisto - that has launched credential-phishing campaigns targeting several United States-based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor.