Phishing Campaign Targeted Those Aiding Ukraine Refugees

A military email address was used to distribute malicious email macros among EU personnel helping Ukrainians.

Cyberattackers used a compromised Ukrainian military email address to phish EU government employees who’ve been involved in managing the logistics of refugees fleeing Ukraine, according to a new report.

Ukraine has been at the center of an unprecedented wave of cyberattacks in recent weeks and months, from distributed denial-of-service (DDoS) campaigns against organizations and citizens to attacks against national infrastructure and more. This time, attackers went after aides in the EU, leveraging breaking news in the Russian invasion of Ukraine to entice targets into opening emails containing Microsoft Excel files laced with malware.

Researchers attributed the phishing attempt to TA445 (aka UNC1151 or Ghostwriter). TA445 has previously been linked with the government of Belarus.

Attack Coincided with Russia’s Invasion

On Wednesday, Feb. 23, NATO convened an emergency meeting regarding the impending Russian invasion of Ukraine.

The following day – the day Russia invaded Ukraine – researchers detected a suspicious email making the rounds. Its subject: “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.” It contained a macros-enabled Microsoft Excel (.xls) spreadsheet

Read More: