Google’s Menace Evaluation Group (TAG) has been monitoring and disrupting Russian state-backed cyberattacks concentrating on Ukraine’s vital infrastructure in 2023.

Google stories that from January to March 2023, Ukraine obtained roughly 60% of the phishing assaults originating from Russia, making it probably the most outstanding goal.

Typically, the marketing campaign targets embrace intelligence assortment, operational disruptions, and leaking delicate information via Telegram channels devoted to inflicting data injury to Ukraine.

Menace teams energetic in Ukraine

Google’s TAG lists three Russian and Belarusian menace actors who had notable exercise within the first quarter of the yr in opposition to Ukrainian targets.

The primary is Sandworm, tracked by Google as “FrozenBarents,” which has centered its assaults on the vitality sector throughout Europe since November 2022, with a highlighted case involving the Caspian Pipeline Consortium (CPC).

Sandworm has recently launched a number of phishing campaigns utilizing spoofed “Ukroboronprom” web sites in opposition to employees within the Ukrainian protection trade, customers of the Ukr.web platform, and even Ukrainian Telegram channels.

The menace group additionally creates a number of on-line personas to disseminate false data on YouTube and Telegram, usually leaking components of the information they steal via phishing or community intrusions.

One other highly-active Russian menace actor is APT28, tracked by Google as “FrozenLake.”

Between February and March 2023, APT28 despatched out a number of massive waves of phishing emails concentrating on Ukrainians. The hackers additionally used mirrored cross-site scripting (XSS) on Ukrainian authorities web sites to redirect guests to phishing pages.

This week, a joint announcement by the UK NCSC, FBI, NSA, and CISA warned that APT28 is hacking Cisco Routers to install custom malware.

The third menace actor highlighted in Google’s report is “Pushcha,” which is believed to be primarily based in Belarus, a rustic that’s politically aligned with the Kremlin.

Pushcha has lately launched campaigns that focus on Ukrainian webmail suppliers like “i.ua” and “meta.ua,” making an attempt to steal the customers’ credentials by establishing phony websites.

State-funded misinformation

Google’s report additionally highlights instances of misinformation on its platforms, like YouTube and Blogger.

“Within the first quarter of 2023, TAG noticed a coordinated IO marketing campaign from actors affiliated with the Web Analysis Company (IRA) creating content material on Google merchandise similar to YouTube, together with commenting and upvoting one another’s movies,” reads the Google TAG report.

The IRA (Glavset) is a Russian firm linked to Wagner Group’s proprietor, Y. Prigozhin, partaking in on-line propaganda and affect operations on behalf of Russian political pursuits.

Google stories that it has been observing and blocking IRA-linked accounts creating content material on YouTube Shorts to advertise particular “news-like” narratives in regards to the conflict in Ukraine to Russian home audiences.

All web sites linked to the talked about campaigns have been added to Google’s “Protected Shopping” blocklist, whereas focused Gmail and Workspace customers obtained alerts notifying them about malicious communications.