Google’s Threat Analysis Group tracked the attempts and warned hundreds that they were being targeted by a government, the company said. It said it did not know if any of the attempts had succeeded, since they were not aimed at Google’s email accounts.
In the past two weeks, the attack group known as Fancy Bear, which is associated with Russia’s GRU military intelligence unit, launched several large phishing campaigns against users of Ukr.net, a Ukrainian media organization, Google said. The emails came from compromised accounts and led targets to fake login pages.
Even more recently, in the days since Russia invaded Ukraine with logistical help from Belarus, a hacking group in Belarus known as Ghostwriter has used phishing to try to get credentials of Ukrainian government officials and members of the Polish military, Google said.
Ukraine has previously pointed to hacking attempts from both countries, but it had said little about the recent phishing attempts.
In a statement, Google said the phishing emails had been sent from “a large number of compromised accounts and include links to attacker controlled domains."
“In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages,” the statement said, where a user is asked to enter their email and password. “All known attacker-controlled Blogspot domains have been taken down.”
The Ghostwriter attacks all took place in the last week “against Polish and Ukrainian government and military organizations,” Google said.
Google also said it had detected a China-based “threat actor,” Mustang Panda, attempting to plant malware in “targeted European entities with lures related to the Ukrainian invasion.” It did not name the organizations targeted, but said the campaign “represented a shift from Mustang Panda’s regularly observed Southeast Asian targets.”
