Russia pursues its phishing campaign in Ukraine

On April 19, 2023, Google’s Threat Analysis Group (TAG) presented a new analysis of phishing attacks led by Russia against Ukraine. In mid-February, 2023, researchers had already noted a 250% increase in targeting of Ukrainian users between 2020 and 2022. This new report shows that 60% of phishing emails from Russia in the first quarter of 2023 targeted Ukraine.

The TAG points out high levels of activity from two groups with ties to Russian intelligence, Sandworm and Fancy Bear. The former targets popular Ukrainian Telegram channel users, sending them fraudulent text messages with the goal of retrieving user IDs.

The latter’s MO is exploiting security breaches in popular Ukrainian websites, in order to redirect their users towards phishing pages. In particular, Fancy Bear assumed the identity of ukr.net, a major Ukrainian messaging service

“Citizens must all be on their guard. Russia is carrying out a massive campaign to retrieve as much information as possible,” Yevheniia Volivnyk, head of the Ukrainian State CERT (CERT-UA), told Numerama.

She also mentioned the type of targets hit by these attacks is changing. “The defense sector is obviously always a target, but we’ve been seeing campaigns directed at the energy industry, telecoms, and today the insurance and healthcare sectors are the most targeted by phishing,” she explained.

“The methods used by attackers are standard, but directed against healthcare workers in particular. The goal may be to retrieve information on soldiers being treated,” added the CERT-UA Director.