Ukraine's Computer Emergency Response Team (CERT-UA) has warned of Belarusian state-sponsored hackers targeting its military personnel and related individuals as part of a phishing campaign mounted amidst Russia's military invasion of the country.
"Mass phishing emails have recently been observed targeting private 'i.ua' and 'meta.ua' accounts of Ukrainian military personnel and related individuals," the CERT-UA said. "After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages."
Subsequently, the attacks leverage the contact information stored in the victim's address book to propagate the phishing messages to other targets.
The Ukrainian government attributed the activities to a threat actor tracked as UNC1151, a Minsk-based group whose "members are officers of the Ministry of Defence of the Republic of Belarus." In a follow-up update, the agency said the nation-state group also targets its own citizens, while simultaneously setting its sights on Russian entities –
- Association of Belarusians of the World (International Social Union)
- Belarusian Music Festival
- Samara Oblasna Public Organization "Russian-Belarusian Fraternity 2000"
- Dzêâslov, a Belarusian literary magazine
- Soviet Belarus (Sovetskaya Belorussiya), a daily newspaper in Belarus
- Employees of the National Academy of the Republic of Kazakhstan, and
- Voice of the Motherland, a local newspaper in Belarus
UNC1151 is the Mandiant-assigned moniker to an uncategorized threat cluster, which operates with objectives that are aligned with Belarusian government interests. The hacking group is believed to have been active since at least 2016.
"UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany," Mandiant researchers said in a November 2021 report. "The targeting also includes Belarusian dissidents, media entities, and journalists."
The state-backed cyber espionage group has also been linked to the Ghostwriter disinformation campaign that promulgated anti-NATO and corruption-themed narratives aimed at Lithuania, Latvia, and Poland with the likely goal of undermining the governments and creating tensions in the region.
What's more, the January defacement attacks of several Ukrainian government websites with threatening messages is believed to be the handiwork of UNC1151 as well.
Hacking Groups Take Sides
The development follows a barrage of data wiper and distributed-denial-of-service (DDoS) attacks against Ukrainian government agencies, even as various hacking groups and ransomware syndicates are capitalizing on the chaos to take sides and further their activities.
"The Anonymous collective is officially in cyber war against the Russian government," the decentralized hacktivist group tweeted, adding it "leaked the database of the Russian Ministry of Defense website."
Another group that has declared its fealty to Ukraine is the vigilante group known as GhostSec (short for Ghost Security), which announced it had flooded Russian military websites with DDoS attacks "in support of the people in Ukraine."
The Conti ransomware cartel, which recently absorbed the now-shuttered TrickBot trojan, rallied its "full support" behind the Russian government, threatening to "strike back at the critical infrastructures of an enemy" should "anybody will decide to organize a cyber attack or any war activities against Russia."
The group, however, later rephrased its statement to state that "we do not ally with any government and we condemn the ongoing war." But the Conti team also maintained that it "will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world."
Other hacking entities to declare allegiance to Russia are the RedBanditsRU cybercrime group and the lesser-known CoomingProject ransomware program, which pledged to "help the Russian government if cyber attacks and conduct against Russia."