For the past three days, a group of government officials from Ukraine are getting telegram alerts urging them to look at the security of their respective accounts, as some unlawful login into their accounts was being noticed by Russia.
Highly placed sources state that the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine received an SMS about an unauthorized login from Russia.
The cybercriminals further coaxed the SMS to refer to click on the embedded link to key in critical information. And once done, the account ownership goes into the hands of the criminals who later can use it for malevolent purposes.
Ukraine intelligence attributed the attacks to a hacking group named “UAC-0094” and is 100% sure that such acts must have originated from the Russian Federation and were launched by Kremlin-backed hackers.
“It is a clear cut of phishing attack to gain credentials to launch attacks on a further note”, says Bridget Jones, an independent researcher working for a security firm in Ukraine, now taking shelter in Poland.
Ddos attacks, malware attacks, and digital attempts to compromise or disrupt the critical infrastructure are being observed from the past 40 days or since the time the war started and there seems to be no end to such fraudulent activities added Ms. Jones.
Another attack campaign that was uncovered recently by Ukraine’s Computer Emergency Response Team(CERT-UA) is about malware spread via phishing emails through government agencies. The government agency attributed the attacks to Armageddon, a Russia-based threat actor working closely with FSB.
Historically speaking, Armageddon was also found compromising Latvian government officials with malware spread through phishing attacks.
And the research carried out by the cobalt strike states that the same threat actor was also behind the spread of GraphSteel, GrimPlant, HeaderTip, LoadEdge, and Spectr malware installed after exploiting Cobalt Strike vulnerability.