Google uncovers Russian phishing campaign targeting Ukrainian news provider
Russian hackers have conducted several phishing campaigns targeting users of one of Ukraine’s most popular online news providers.
That’s according to Google’s Threat Analysis Group (TAG), which has attributed the attacks to the Russia-backed APT28 gang, also known as FancyBear and Strontium.
The phishing e-mails had been sent from a large number of compromised non-Google accounts, and included links to newly-created, attacker-controlled Blogspot domains, which redirected targets to credential phishing pages with the following domains:
The Blogspot domains have since been taken down, Google announced on Monday. The credential phishing pages are flagged as “dangerous” on the Google Chrome browser, as part of Google’s Safe Browsing service. Launched in 2007, the service identifies unsafe websites across the Web and notifies users and website owners of potential harm with an attention-grabbing, red warning message.
FancyBear’s phishing campaign against Ukr.net is just one of many attempts by Russian and Belarusan threat actors to target Ukrainian organisations.
The TAG team has also been tracking the notorious Belarusan hacking group known as Ghostwriter, which it has observed launching phishing attacks against the Ukrainian and Polish governments.
The tech giant has also recorded repeated DDoS attempts against Ukraine’s Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information. This has prompted Google to expand the eligibility for its free DDoS protection tool known as Project Shield, which sees Google absorb the influx of “bad traffic” and keep the targeted website online.
Eligibility is determined on a rolling basis, with Google accepting Google Account holders that manage or own a website in the news, human rights and political sectors.
© Dennis Publishing