Google’s Threat Analysis Group (TAG) has provided an update in the wake of the Russian invasion of Ukraine, saying it has issued hundreds of warnings to Ukrainian users over the past year that they are being targeted by “government backed hacking”, particularly from Russia.
In the weeks since Russia began its military action, TAG said it has seen FancyBear, a group said to be part of the Russian military intelligence agency GRU, conducting phishing campaigns against a Ukrainian media company called UkrNet.
For Ghostwriter, a group Ukraine has previously said is part of the Belarusian Ministry of Defence, Google TAG has identified activity against Polish and Ukrainian government and military. The group has also been going after UkrNet webmail users as well as Yandex users.
Google said its Safe Browsing service has been able to block Ghostwriter’s phishing domains.
The update also noted that Chinese group Mustang Panda has switched from going after its usual Southeast Asian targets to focusing on Europeans. The group was sending out a malicious attachment that contained a downloader that would grab a payload.
Google also said it continued to see DDoS attacks against Ukrainian sites, including the Ministry of Foreign Affairs and Ministry of Internal Affairs.
“We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need,” TAG wrote.
“As of today, over 150 websites in Ukraine, including many news organizations, are using the service.”