Russian APTs Furiously Phish Ukraine – Google

Also on the rise: DDoS attacks against Ukrainian sites and phishing activity capitalizing on the conflict, with China’s Mustang Panda targeting Europe.

While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin’s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.

Researchers from Google’s Threat Analysis Group (TAG) have seen an increase in activity ranging “from espionage to phishing campaigns” from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a blog post published Monday. The former has been attributed to Russia’s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.

Meanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.

Infosec Insiders Newsletter

China’s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China’s government is one of the few around the world backing Putin in the conflict.

“We’re sharing this information to help raise awareness among the security community and high risk users,” Huntley wrote in the post.

Phishing Flurry

Fancy Bear, the APT behind attacks against the 2020 Tokyo Olympics and elections in the European Union, most recently has been targeting users of – owned by the Ukrainian media company URKNet – with “several large credential phishing campaigns,” Huntley wrote.

“The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,” according to the post.

In two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.

Meanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region:,,,, and

Google TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.

Capitalizing on Conflict

Not to be outdone, China’s Mustang Panda, aka Temp.Hex, HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.

“TAG identified malicious attachments with file names such as ‘Situation at the EU borders with’ which contain an executable of the same name that is a basic downloader,” Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.

While Huntley noted that targeted Europe represents a shift for the threat actor – which typically targets entities in Southeast Asia – Mustang Panda has been active against EU entities before, most notably targeting Rome’s Vatican and Catholic Church-related organizations with a spearphishing campaign in September 2020.

To mitigate the APT’s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.

Expanding DDoS Protection

As APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.

As these attacks are likely to continue, Google has expanded eligibility for Project Shield, the company’s free protection against DDoS attacks, to “Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict,” Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.

Project Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations register for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.

Suggested articles