A team of specialists from Google’s Threat Analysis Group (TAG) has found evidence that several hacker groups are using the subject of the military conflict in Ukraine to steal credentials through malicious emails and links.
A growing number of cybercrime groups from China, Iran, North Korea and Russia are using this situation as a pretext for various types of attacks. For example, one of the groups posed as military personnel allegedly extorting money for the rescue of relatives in Ukraine.
The Curious Gorge group, which experts associate with the Strategic Support Forces of the People’s Liberation Army of China, has been accused of attacks on government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia.
The Russian-based COLDRIVER group is accused of attacking several US-based non-governmental organizations, think tanks, the armed forces of the Balkan country and a Ukrainian defense contractor with phishing campaigns.
As noted in Google, the Ghostwriter group, presumably from Belarus, has added the “browser-in-the-browser, BitB” phishing method to its arsenal of tools. This method of stealing login credentials simulates browser pop-ups from Google, Microsoft and other authentication service providers that ask for a username and password.