Source: https://cobaltstrike.net/2022/02/28/530354-php/
The Computer Emergency Response Group of Ukraine (CERT-UA) has warned about a targeted phishing campaign. Hackers attacked private email accounts belonging to servicemen of the Ukrainian armed forces.
After compromising the account, the attackers gain access to all the victim’s messages using the IMAP protocol. Accounts compromised during these attacks were used to send new phishing messages to contacts in the victims’ address books.
Phishing emails are sent from two domains (i[.]ua-passport[.]space and id[.]bigmir[.]space) – the first one tries to impersonate a free Internet portal i.ua , providing e-mail services to Ukrainians since 2008.
In the emails, victims are asked to follow the embedded link to confirm their contact information and avoid permanent blocking of email accounts.
Information security experts linked this malicious campaign with the UNC1151 group. In 2021, specialists from the Mandiant company linked the group with the government of Belarus. Mandiant also found evidence confirming the connection between UNC1151 operators and the Belarusian military.