Written by AJ Vicens
Mar 2, 2022 | CYBERSCOOP
A hacking group with a history of phishing attacks and disinformation against NATO nations may be using compromised Ukrainian armed service member emails to target European officials tasked with managing logistics around refugees fleeing Ukraine, according to findings published Monday.
Researchers with cybersecurity firm Proofpoint report they detected an email Feb. 24 that carried a subject referencing the Feb. 24 emergency meeting of NATO on the day the Russian government began its military attack on Ukraine. The email included an attached Microsoft Excel spreadsheet titled “list of persons.xlsx” that the researchers later determined included malware that, if installed, sought to gather information and intelligence from target computers.
The social engineering lure used in this campaign was timely, the researchers said, given the NATO meeting and “a news story about a Russian government ‘kill list’ targeting Ukrainians that began circulating in Western media outlets” Feb. 21.
Proofpoint did not definitively attribute the campaign, but “several temporal and anecdotal indicators exist” suggesting activity associated with a group tracked variously as TA445, UNC1151 or Ghostwriter. The group — with a documented history of disinformation efforts aimed at manipulating sentiment about refugees in NATO