Amidst the ongoing war between Russia and Ukraine, the Computer Emergency Response Team of Ukraine (CERT-UA) on Friday warned that Belarusian state-sponsored hackers are targeting the private email accounts of Ukrainian military personnel and related individuals.
In an announcement posted on Facebook, the CERT-UA said that the spearphishing campaigns are targeting private ‘i.ua’ and ‘meta.ua’ email accounts of Ukrainian defense forces. The spearphishing emails are being sent from two domains (i[.]ua-passport[.]space and id[.]bigmir[.]space).
The phishing email targets the victim to click an embedded link to verify their contact information in order to avoid the permanent suspension of their email accounts.
Below is an example of the malicious email:
“Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding.
Regards, I.UA Team”
Once the email account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.
CERT-UA blamed the ongoing phishing campaign on Minsk-based group ‘UNC1151’, identifying its members as officers of the Ministry of Defence of the Republic of Belarus.
In November 2021, U.S. cybersecurity firm Mandiant had formally linked the UNC1151 group to the Belarusian government. It also linked the group behind an operation that it tracked under the codename of Ghostwriter, which involved hacking-and-leaking operations targeting NATO members.
According to Mandiant’s Ben Read, the UNC1151 group has been targeting the Ukrainian military extensively over the past two years, “so this activity matches their historical pattern.”
“These actions by UNC1151, which we believe is linked to the Belarusian military, are concerning because personal data of Ukrainian citizens and military can be exploited in an occupation scenario and UNC1151 has used its intrusions to facilitate the Ghostwriter information operations campaign. Leaking misleading, or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia and Belarus friendly narratives,” Read told in a statement to TechCrunch.
Besides the CERT-UA, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) issued a separate warning on Friday of another active phishing campaign that are targeting Ukrainian citizens with malicious documents. It has cautioned its citizens against opening such malicious content.
Warning ?? A phishing #attack has started against Ukrainians! Citizens' e-mail addresses receive letters with attached files of uncertain nature. The mass distribution of such messages to messengers may happen. #cyberattacks #Ukraine pic.twitter.com/YPvFH2oNk0
— SSSCIP Ukraine (@dsszzi) February 25, 2022
“The enemy forces aim to gain access to the electronic devices of Ukrainians to gather a large amount of information,” SSSCIP said.