Russian APTs Furiously Phish Ukraine – Google

Also on the rise: DDoS attacks against Ukrainian sites and phishing activity capitalizing on the conflict, with China’s Mustang Panda targeting Europe.

While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin’s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.

Researchers from Google’s Threat Analysis Group (TAG) have seen an increase in activity ranging “from espionage to phishing campaigns” from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a blog post published Monday. The former has been attributed to Russia’s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.

Meanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.

Infosec Insiders Newsletter

China’s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China’s government is one of the few around the world backing Putin in the conflict.

“We’re sharing this information to help raise awareness among the security community and high risk users,” Huntley wrote in the post.

Phishing Flurry

Fancy Bear, the APT behind attacks against the 2020 Tokyo Olympics and elections in the European Union, most recently has been targeting users of – owned by the Ukrainian media company URKNet – with “several large credential phishing campaigns,” Huntley wrote.

“The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,” according to the post.

In two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.

Meanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region:,,,, and

Google TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.

Capitalizing on Conflict

Not to be outdone, China’s Mustang Panda, aka Temp.Hex, HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.

“TAG identified malicious attachments with file names such as ‘Situation at the EU borders with’ which contain an executable of the same name that is a basic downloader,” Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.

While Huntley noted that targeted Europe represents a shift for the threat actor – which typically targets entities in Southeast Asia – Mustang Panda has been active against EU entities before, most notably targeting Rome’s Vatican and Catholic Church-related organizations with a spearphishing campaign in September 2020.

To mitigate the APT’s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.

Expanding DDoS Protection

As APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.

As these attacks are likely to continue, Google has expanded eligibility for Project Shield, the company’s free protection against DDoS attacks, to “Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict,” Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.

Project Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations register for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.

Suggested articles


  • guest on

    Salaam. Ukraine-backers attacked Russian websites, so it's natural to see pro-Russian hacks against Ukraine or the west to be increased. It's so sad to see plenty of news about Ukraine war while more sever situation in Yemen is ignored in western media. Just compare the volume of the news about Ukraine in the recent weeks to the news on 20-year-war of Afghanistan and 7-year-war of Yemen.
    • Lisa Vaas on

      I hear you on that. If you want to forward us cybersecurity news relating to Yemen, please do. There's not much we can do about mass media's choices of which crises matter, but if there's news related to cybersec–new malware, new cyberattack campaigns, new opportunistic phishing–we can, at the very least, cover that. Click on any author's name to get their email address. If it doesn't pop up, try another browser: yesterday I saw a glitch in the email-author function in Chrome that cleared up in Firefox.
  • David Dzidzikashvili on

    What is happening in Ukraine today these events had been happening for the past 20+ years, when Putin came into power by bombing his own people – civilian apartments and committing atrocities against the Chechen people. The response from the US, EU and NATO had been just complete silence and welcoming Putin to the summits and holding red carpet meetings for him. This further emboldened Putin who attacked Georgia in 2008 and conquered Abkhazia and Samachablo. What did the Western powers do? Absolutely nothing! Reset by the Obama Administration and warm handshakes by Merkel, total ignorance of the international laws and Putin’s war crimes against the Georgian people. What happened afterwards? Putin invaded Crimea and Eastern Ukraine. What did the Western powers do? Bare minimum of symbolic sanctions that continued to feed Putin’s war machine. Then Syria, use of chemical weapons, more atrocities… . What did the Western powers do? Absolutely nothing! So we are here as a result of Putin’s false perception that he could chew more than he could bite and the 20+ year ignorance from the EU, US and the NATO. Today there is strong response and sanctions that will take the Russian economy back to the 1990s indicators, however it is too late and too little. Ukraine needs the Patriot missiles, S-400s, S-300s, missiles to shoot down airplanes and incoming rockets at much higher altitudes than Stingers could reach, Ukraine needs much more firepower and the ability to control and close its own skies. Lets help Zelensky establish the No Fly Zone! The Biden administration looked weak, but slowly they are starting to wake up and see the true face of evil – Vladimir Putin who is trying to restore the new Russian empire…

Leave A Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.