Security News

Ukraine's technical security and intelligence service is warning of a new wave of cyber attacks that are aimed at gaining access to users' Telegram accounts. "The criminals sent messages with malicious links to the Telegram website in order to gain unauthorized access to the records, including the possibility to transfer a one-time code from SMS," the State Service of Special Communication and Information Protection of Ukraine said in an alert.

The seizure is also part of a long-running legal and technical hunt by Microsoft to disrupt the work of Strontium - aka APT28 and FancyBear, among other names - via an expedited court process that enables the company to quickly get judicial approval for such actions, according to Tom Burt, corporate vice president of customer security and trust at Microsoft. Before the latest seizures, Microsoft had used this process 15 times to take over more than 100 domains controlled by Strontium, which is thought to be run by the GRU, Russia's foreign military intelligence agency.

Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure. Strontium, linked to Russia's military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.

This includes Kremlin-backed operations looking to spy on and influence specific Ukrainian industries, including defense, energy, and telecoms, as well as journalists and activists in Ukraine, Russia and abroad. In one example, Meta says it removed fake-news posts linked to the Belarusian KGB. This account began posting misinformation in Polish and English about Ukrainian troops surrendering without a fight and the nation's leaders fleeing the country on February 24 when Russia began its "Special military operation" against the neighboring state. Ghostwriter has tried to hack into "Dozens" of Ukrainian military personnel's Facebook accounts, according to Meta's new threat report.

In this video for Help Net Security, Charles Brook, Threat Intelligence Researcher at Tessian, talks about how cybercriminals have taken advantage of the crisis in Ukraine to create charity donation scams. While there are legitimate ways to donate money and resources, scammers have started using impersonation techniques and sneaky tactics to dupe individuals into sending fake donations via emails, asking for cryptocurrency, or via fake websites.

How phishing attacks are exploiting Russia's invasion of Ukraine. A new round of phishing attacks analyzed by email security provider Tessian aims to steal cryptocurrency under the guise of requesting charitable donations toward the Ukrainian cause.

The Computer Emergency Response Team of Ukraine has spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon. Armageddon is a Russian state-sponsored threat actor who has been targeting Ukraine since at least 2014 and is considered part of the FSB. According to a detailed technical report published by the Ukrainian secret service in November 2021, Armageddon has launched at least 5,000 cyber-attacks against 1,500 critical entities in the country.

At least three different advanced persistent threat groups from across the world have launched spear-phishing campaigns in mid-March 2022 using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information. "Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks."

Ghostwriter - a threat actor previously linked with the Belarusian Ministry of Defense - has glommed onto the recently disclosed, nearly invisible "Browser-in-the-Browser" credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine. In a Wednesday post, Google's Threat Analysis Group said that they'd already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month.

A Belarusian threat actor known as Ghostwriter has been spotted leveraging the recently disclosed browser-in-the-browser technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict. The method, which masquerades as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.