Google’s Threat Analysis Group (TAG) continues to closely monitor the cybersecurity environment in Eastern Europe with regard to the war in Ukraine. Many Russian government cyber assets have remained focused on Ukraine and related issues since the invasion began, while Russian APT activity outside of Ukraine largely remains the same. TAG continues to disrupt campaigns from multiple sets of Russian government-backed attackers, some of which are detailed in our previous updates.

Similarly, Russian observed disinformation efforts are also focused on the war in Ukraine and TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm as detailed in the TAG Bulletin. Most of these coordinated influence operations are Russian language efforts aimed at ensuring domestic support in Russia for the war.

Here is a deeper look at some campaign activity TAG has observed since our last update:

Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule.

The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective. The list of target websites for the app can be seen in the CyberChef recipe here.

During our investigation into the Turla CyberAzov apps, we identified another Android app first seen in the wild in March 2022 that also claimed to conduct DoS attacks against Russian websites. In this case, the Android app name was stopwar.apk (com.ddos.stopwar) and was distributed from the website stopwar.pro. This app is quite different from the Turla apps described above and written by a different developer. It also downloads a list of targets from an external site, but unlike the Turla apps, it continually sends requests to the target websites until it is stopped by the user.

Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake CyberAzov DoS app off of.

Indicators:

• https://cyberazov[.]com/apk/CyberAzov.apk
• 745e8c90a8e76f81021ff491cbc275bc134cdd7d23826b8dd23e58297fd0dd33
• 3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a

The Follina vulnerability (CVE-2022-30190), first disclosed in late May, received significant usage from both APT and cybercrime groups throughout June after it was patched by Microsoft. Follina is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Consistent with CERT-UA reporting, TAG observed multiple Russian GRU actors - APT28 and Sandworm - conduct campaigns exploiting the Follina vulnerability. The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine.

TAG has also observed an increasing number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor.

Ghostwriter/UNC1151, a threat actor attributed to Belarus, has remained active targeting accounts of webmail and social media networks of Polish users. They continue to use the 'Browser in the Browser' phishing technique that TAG first observed and described in March. An example of this technique, used to target Facebook users, can be seen in the screenshot below.

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists. In addition to including phishing links directly in the email, the attackers also link to PDFs and/or DOCs, hosted on Google Drive and Microsoft One Drive, that contain a link to an attacker-controlled phishing domain. In at least one case, unrelated to Ukraine, they have leaked information from a compromised account.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Recently observed COLDRIVER indicators:

• 7b95747eeea196c1485d089fa47a06bacb07d06399603d3a4fa153c21ce0a9ba
• cache-pdf[.]com

In another campaign tracked by CERT-UA as UAC-0056 we observed compromised email addresses of a Regional Prosecutor’s office of Ukraine leveraged to send malicious Microsoft Excel documents with VBA macros delivering Cobalt Strike. In just two days, the volume observed and categorized as spam by Gmail exceeded 4,500 emails. Email contents vary from COVID-19 vaccine policy to the humanitarian crisis in Ukraine.

Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Similar to other reports, we have also observed threat actors increasingly target critical infrastructure entities including oil and gas, telecommunications and manufacturing.

Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Financially motivated and criminal actors are also using current events as a means for targeting users.

As always, we continue to publish details surrounding the actions we take against coordinated influence operations in our quarterly TAG bulletin. We promptly identify and remove any such content but have not observed any significant shifts from the normal levels of activity that occur in the region.

Here is a deeper look at the campaign activity TAG has observed and the actions the team has taken to protect our users over the past few weeks:

APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware. The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a compromised email account.

Malware samples:

• 710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424
• 39d242660c6d5dbe97d5725bbfed0f583344d18840ccd902fffdd71af12e20ec

TAG would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation.

Turla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics, targeting defense and cybersecurity organizations in the region. Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker controlled domain.

Recently observed Turla domains:

• wkoinfo.webredirect[.]org
• jadlactnato.webredirect[.]org
  

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to use Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts. The targets include government and defense officials, politicians, NGOs and think tanks, and journalists. The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive. Within these files is a link to an attacker controlled phishing domain.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Recently observed COLDRIVER credential phishing domains:

• cache-dns[.]com
• docs-shared[.]com
• documents-forwarding[.]com
• documents-preview[.]com
• protection-link[.]online
• webresources[.]live

Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting of Gmail accounts via credential phishing. This campaign, targeting high risk individuals in Ukraine, contained links leading to compromised websites where the first stage phishing page was hosted. If the user clicked continue, they would be redirected to an attacker controlled site that collected the users credentials. There were no accounts compromised from this campaign and Google will alert all targeted users of these attempts through our monthly government-backed attacker warnings.

Both pages from this campaign are shown below.

In mid-April, TAG detected a Ghostwriter credential phishing campaign targeting Facebook users. The targets, primarily located in Lithuania, were sent links to attacker controlled domains from a domain spoofing the Facebook security team.

Recently observed Ghostwriter credential phishing domains and emails:

• noreply.accountsverify[.]top
• microsoftonline.email-verify[.]top
• lt-microsoftgroup.serure-email[.]online
• facebook.com-validation[.]top
• lt-meta.com-verification[.]top
• lt-facebook.com-verification[.]top
• secure@facebookgroup[.]lt

Curious Gorge, a group TAG attributes to China's PLA SSF, has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.

Protecting Our Users

Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Google Account Level Enhanced Safe Browsing and ensure that all devices are updated.

The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Similar to other reports, we have also observed threat actors increasingly target critical infrastructure entities including oil and gas, telecommunications and manufacturing.

Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Financially motivated and criminal actors are also using current events as a means for targeting users.

As always, we continue to publish details surrounding the actions we take against coordinated influence operations in our quarterly TAG bulletin. We promptly identify and remove any such content but have not observed any significant shifts from the normal levels of activity that occur in the region.

Here is a deeper look at the campaign activity TAG has observed and the actions the team has taken to protect our users over the past few weeks:

APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware. The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a compromised email account.

Malware samples:

• 710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424
• 39d242660c6d5dbe97d5725bbfed0f583344d18840ccd902fffdd71af12e20ec

TAG would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation.

Turla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics, targeting defense and cybersecurity organizations in the region. Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker controlled domain.

Recently observed Turla domains:

• wkoinfo.webredirect[.]org
• jadlactnato.webredirect[.]org
  

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to use Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts. The targets include government and defense officials, politicians, NGOs and think tanks, and journalists. The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive. Within these files is a link to an attacker controlled phishing domain.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Recently observed COLDRIVER credential phishing domains:

• cache-dns[.]com
• docs-shared[.]com
• documents-forwarding[.]com
• documents-preview[.]com
• protection-link[.]online
• webresources[.]live

Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting of Gmail accounts via credential phishing. This campaign, targeting high risk individuals in Ukraine, contained links leading to compromised websites where the first stage phishing page was hosted. If the user clicked continue, they would be redirected to an attacker controlled site that collected the users credentials. There were no accounts compromised from this campaign and Google will alert all targeted users of these attempts through our monthly government-backed attacker warnings.

Both pages from this campaign are shown below.

In mid-April, TAG detected a Ghostwriter credential phishing campaign targeting Facebook users. The targets, primarily located in Lithuania, were sent links to attacker controlled domains from a domain spoofing the Facebook security team.

Recently observed Ghostwriter credential phishing domains and emails:

• noreply.accountsverify[.]top
• microsoftonline.email-verify[.]top
• lt-microsoftgroup.serure-email[.]online
• facebook.com-validation[.]top
• lt-meta.com-verification[.]top
• lt-facebook.com-verification[.]top
• secure@facebookgroup[.]lt

Curious Gorge, a group TAG attributes to China's PLA SSF, has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.

Protecting Our Users

Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Google Account Level Enhanced Safe Browsing and ensure that all devices are updated.

The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.