Pro-Russian hackers launch email attack to disrupt Ukraine refugee rescue attempts

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

A “likely” cyber attack from a “nation-state” using a Ukrainian soldier’s email address has been used to try and disrupt European officials’ attempts to help refugees fleeing the country from Russia’s invasion.

The “state sponsored phishing campaign”, whereby login credentials and other user data are stolen by hackers, appeared to use the email address to send a malicious micro attachment to the Emergency Meeting of the NATO Security Council that took place on 23 February.

The intention seems to be to trick government personal tasked with managing transportation of refugees into downloading the Lua malware ‘SunSeed’, according to cybersecurity researchers at Proofpoint.

While the researchers cannot “definitively attribute” this campaign, they believe that it is from the threat actor TA445 (aka Ghostwriter/UNC1151).

This is based on the timeline of the attack, use of compromised sender addresses that align with Ukrainian government reports, and the victimology of the campaign align with previous attempts made by TA445 in 2021 with regards to Belarus funnelling refugees to the Polish border.

TA445 appears to operate from Belarus and has a history of disinformation operations to try and raise anti-refugee sentiment in Europe and cause tension between Nato countries.

The researchers only have a limited data set and therefore conclusions about the hackers’ targets may not be entirely accurate, but there was a “clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe”, the researchers say.

“This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within Nato member countries.”

Belarus is allied with Russia during the invasion, which has led to cyberattacks against it. The ‘Cyber Partisans’ group said that trains had been stopped in Minsk, Orsha, and Osipovichi yesterday due to them compromising the routing system and switching devices by encrypting the data on them.

The hackers claimed that the attack was to “slow down the transfer” of troops moving from Belarus to northern Ukraine, saying that they had put the trains in “manual control” mode which would “significantly slow down the movement of trains, but will not create emergency situations.”

Hacking group Anonymous has also levied attacks against Russian government pages and state media, in one instance replacing the usual content on sites including TASS and Kommersant with a “tombstone” for the war dead.