Google’s TAG Disrupts Russian Cyber Campaigns Targeting Ukraine

Google’s Threat Analysis Group (TAG) has been actively disrupting cyber campaigns orchestrated by multiple Russian government-backed groups targeting the war in Ukraine. The first quarter of 2023 saw these phishing campaigns primarily target Ukrainian users, accounting for over 60% of the observed Russian cyber activity.

FROZENBARENTS, a group linked to Russia’s GRU Unit 74455, has conducted campaigns encompassing intelligence collection, information operations (IO), and leaking hacked data through Telegram. They have targeted various sectors, including government, defense, energy, transportation, and logistics. Notably, the Caspian Pipeline Consortium (CPC) and other energy organizations in Europe have been heavily targeted.

Phishing site spoofing Ukroboronprom, a Ukrainian defense company | Image: Google’s Threat Analysis Group

In addition to energy sector targeting, FROZENBARENTS has targeted the Ukrainian defense industry, military, and Ukr.net webmail users with credential phishing campaigns. They have also engaged in IO and hack-and-leak campaigns, creating online personas to generate and disseminate pro-Russia news content.

Another Russian GRU actor, FROZENLAKE, has focused its attention on Ukraine. In February and March, they sent multiple phishing emails to hundreds of users in Ukraine. They also used reflected cross-site scripting (XSS) on multiple Ukrainian government websites to redirect users to phishing pages, a new technique for the group.

Belarusian threat actor PUSHCHA has consistently targeted users in Ukraine and neighboring countries throughout the war. Their campaigns typically target regional webmail providers such as i.ua and meta.ua, focusing on small numbers of users in Ukraine.

Moscow continues to leverage information operations (IO) to shape public perception of the war in Ukraine. In the first quarter of 2023, TAG observed a coordinated IO campaign from actors affiliated with the Internet Research Agency (IRA) creating content on Google products like YouTube, including commenting and upvoting each other’s videos. The group has focused on narratives supportive of Russia and the business interests of Russian oligarch Yevgeny Prigozhin, especially the Wagner Group.

Financially motivated actors, such as the group behind Cuba ransomware, have also targeted government and military officials in Ukraine. These campaigns represent a significant shift from their traditional ransomware operations, mimicking intelligence collection activities.

Google’s TAG remains committed to counteracting these cyber threats and maintaining the integrity of its platforms. As the cyber landscape evolves, TAG continues to monitor and report on emerging trends and threat actors targeting the ongoing conflict in Ukraine.