The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian military personnel. The Ukrainian agency attributes the campaign to the UNC1151 cyber espionage gang, which is linked to Belarus. In mid-January, the Kyiv administration blamed Belarusian APT group UNC1151 for the defacement of tens of Ukrainian government websites.
“We believe preliminarily that the group UNC1151 may be involved in this attack,” Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters. “This is a cyber-espionage group affiliated with the special services of the Republic of Belarus. The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”
The following message was shown on defaced websites in Russian, Ukrainian, and Polish. “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.” read a translation of the message.
Mandiant Threat Intelligence researchers attributed the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus in November 2021. FireEye security analysts discovered a misinformation campaign aimed at discrediting NATO in August 2020 by circulating fake news articles on compromised news websites. According to FireEye, the GhostWriter campaign has been running since at least March 2017 and is aligned with Russian security interests.
GhostWriter, unlike other disinformation campaigns, did not propagate via social media; instead, threat actors behind this campaign employed compromised content management systems (CMS) of news websites or forged email accounts to disseminate bogus news. The attackers were disseminating false content, such as forged news articles, quotations, correspondence, and other documents purporting to be from military authorities and political people in some targeted countries. According to researchers, the campaign particularly targeted people in specific alliance member states such as Lithuania, Latvia, and Poland.
The phishing messages employed a typical social engineering method to deceive victims into submitting their information in order to prevent having their email accounts permanently suspended. According to Ukraine's State Service of Special Communications and Information Protection (SSSCIP), phishing assaults are also targeting Ukrainian citizens.