Pro-Russian hackers launch email attack to disrupt Ukraine refugee rescue attempts
A ‘likely’ state sponsored phishing campaign appears to be sourced from Belarus, cybersecurity researchers suggest
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A “likely” cyber attack from a “nation-state” using a Ukrainian soldier’s email address has been used to try and disrupt European officials’ attempts to help refugees fleeing the country from Russia’s invasion.
The “state sponsored phishing campaign”, whereby login credentials and other user data are stolen by hackers, appeared to use the email address to send a malicious micro attachment to the Emergency Meeting of the NATO Security Council that took place on 23 February.
The intention seems to be to trick government personal tasked with managing transportation of refugees into downloading the Lua malware ‘SunSeed’, according to cybersecurity researchers at Proofpoint.
While the researchers cannot “definitively attribute” this campaign, they believe that it is from the threat actor TA445 (aka Ghostwriter/UNC1151).
This is based on the timeline of the attack, use of compromised sender addresses that align with Ukrainian government reports, and the victimology of the campaign align with previous attempts made by TA445 in 2021 with regards to Belarus funnelling refugees to the Polish border.
TA445 appears to operate from Belarus and has a history of disinformation operations to try and raise anti-refugee sentiment in Europe and cause tension between Nato countries.
The researchers only have a limited data set and therefore conclusions about the hackers’ targets may not be entirely accurate, but there was a “clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe”, the researchers say.
“This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within Nato member countries.”
Belarus is allied with Russia during the invasion, which has led to cyberattacks against it. The ‘Cyber Partisans’ group said that trains had been stopped in Minsk, Orsha, and Osipovichi yesterday due to them compromising the routing system and switching devices by encrypting the data on them.
The hackers claimed that the attack was to “slow down the transfer” of troops moving from Belarus to northern Ukraine, saying that they had put the trains in “manual control” mode which would “significantly slow down the movement of trains, but will not create emergency situations.”
Hacking group Anonymous has also levied attacks against Russian government pages and state media, in one instance replacing the usual content on sites including TASS and Kommersant with a “tombstone” for the war dead.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments