Saturday , February 15 2025

Ukraine targeted by 60% of Russian phishing attacks in 2023: Google

Google’s Threat Analysis Group (TAG) has been monitoring and disrupting Russian state-backed cyberattacks targeting Ukraine’s critical infrastructure in 2023.

Google reports that from January to March 2023, Ukraine received roughly 60% of the phishing attacks originating from Russia, making it the most prominent target.

Xploit_Cr3w and Blind_Virus, champion for BCS CTF contest

Xploit_Cr3w and Blind_Virus are the two champion teams categorically for BCS ICT Fest 2025 arranged jointly by BCS and BUET....
Read More
Xploit_Cr3w and Blind_Virus, champion for BCS CTF contest

Salt Typhoon Exploits Vulnerable Cisco Devices of Telcoms Globally

Between December 2024 and January 2025, Recorded Future's Insikt Group discovered a campaign targeting unpatched Cisco devices used by major...
Read More
Salt Typhoon Exploits Vulnerable Cisco Devices of Telcoms Globally

CISA Releases Advisories For 20 Industrial Control Systems (ICS)

On February 13, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued 20 advisories about serious vulnerabilities in Industrial Control...
Read More
CISA Releases Advisories For 20 Industrial Control Systems (ICS)

“Astaroth” Phishing Kit Bypasses 2FA Of Gmail, Yahoo, AOL, M365

The new Astaroth Phishing Kit can bypass two-factor authentication to steal login credentials for Gmail, Yahoo, and Microsoft. It uses...
Read More
“Astaroth” Phishing Kit Bypasses 2FA Of Gmail, Yahoo, AOL, M365

CVE-2023-38831
Malware campaign target Bangladeshi Government Entities: Report

A sophisticated malware campaign is targeting military and government entities in Bangladesh. It uses social engineering to deliver malicious files...
Read More
CVE-2023-38831  Malware campaign target Bangladeshi Government Entities: Report

(CVE-2025-1146
CrowdStrike Fixed High-Severity TLS Vuln in Falcon Sensor

CrowdStrike has issued a security advisory for a serious TLS vulnerability, CVE-2025-1146, in its Falcon Sensor for Linux, Falcon Kubernetes...
Read More
(CVE-2025-1146  CrowdStrike Fixed High-Severity TLS Vuln in Falcon Sensor

CVE-2025-0108 & CVE-2025-0110
Palo Alto Networks Addressed High-Severity PAN-OS Vulns

Palo Alto Networks has issued advisories for two critical vulnerabilities in its PAN-OS. The vulnerabilities, CVE-2025-0108 and CVE-2025-0110, may enable...
Read More
CVE-2025-0108 & CVE-2025-0110  Palo Alto Networks Addressed High-Severity PAN-OS Vulns

Update Now
Ivanti Patches 3 Critical Flaws in Connect Secure and Policy Secure

Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC)...
Read More
Update Now  Ivanti Patches 3 Critical Flaws in Connect Secure and Policy Secure

This Adtech Company is Powering Surveillance of U.S. Military Personnel

Last year, a joint investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that...
Read More
This Adtech Company is Powering Surveillance of U.S. Military Personnel

Intel Patched 374 Vulnerabilities in multiple products

In 2024, Intel addressed a remarkable 374 vulnerabilities across its software, firmware, and hardware products, distributing bug bounty rewards for...
Read More
Intel Patched 374 Vulnerabilities in multiple products

In most cases, the campaign goals include intelligence collection, operational disruptions, and leaking sensitive data through Telegram channels dedicated to causing information damage to Ukraine.

Threat groups active in Ukraine

Google’s TAG lists three Russian and Belarusian threat actors who had notable activity in the first quarter of the year against Ukrainian targets.

The first is Sandworm, tracked by Google as “FrozenBarents,” which has focused its attacks on the energy sector across Europe since November 2022, with a highlighted case involving the Caspian Pipeline Consortium (CPC).

CPC phishing page
CPC phishing page (Google)

Sandworm has lately launched multiple phishing campaigns using spoofed “Ukroboronprom” websites against workers in the Ukrainian defense industry, users of the Ukr.net platform, or even Ukrainian Telegram channels.

Website spoofing a Ukrainian defense firm
Website spoofing a Ukrainian defense firm (Google)

The threat group also creates multiple online personas to disseminate false information on YouTube and Telegram, often leaking parts of the data they steal through phishing or network intrusions.

Telegram phishing page
Telegram phishing page (Google)

Another highly-active Russian threat actor is APT28, tracked by Google as “FrozenLake.”

Between February and March 2023, APT28 sent out multiple large waves of phishing emails targeting Ukrainians. The hackers also used reflected cross-site scripting (XSS) on Ukrainian government websites to redirect visitors to phishing pages.

Phishing page where victims land after an XSS redirection
Phishing page where victims land after an XSS redirection (Google)

This week, a joint announcement by the UK NCSC, FBI, NSA, and CISA warned that APT28 is hacking Cisco Routers to install custom malware.

The third threat actor highlighted in Google’s report is “Pushcha,” which is believed to be based in Belarus, a country that is politically aligned with the Kremlin.

Pushcha has recently launched campaigns that target Ukrainian webmail providers like “i.ua” and “meta.ua,” attempting to steal the users’ credentials by setting up phony sites.

Fake email login site created by Pushcha
Fake email login site created by Pushcha (Google)

State-funded misinformation

Google’s report also highlights cases of misinformation on its platforms, like YouTube and Blogger.

“In the first quarter of 2023, TAG observed a coordinated IO campaign from actors affiliated with the Internet Research Agency (IRA) creating content on Google products such as YouTube, including commenting and upvoting each other’s videos,” reads the Google TAG report.

The IRA (Glavset) is a Russian company linked to Wagner Group’s owner, Y. Prigozhin, engaging in online propaganda and influence operations on behalf of Russian political interests.

Google reports that it has been observing and blocking IRA-linked accounts creating content on YouTube Shorts to promote specific “news-like” narratives about the war in Ukraine to Russian domestic audiences.

All websites linked to the mentioned campaigns have been added to Google’s “Safe Browsing” blocklist, while targeted Gmail and Workspace users received alerts notifying them about malicious communications.

Check Also

CYFIRMA

FinStealer Malware Targets Indian Bank’s Mobile Users, Stealing Credentials

CYFIRMA analysis reveals a sophisticated malware campaign that exploits a major Indian bank’s brand through …

Leave a Reply

Your email address will not be published. Required fields are marked *