The original phishing email, in Russian (a language widely spoken in Belarus). Source: Resident.NGO.
At a glance
- Actor: UNC1151 (Ghostwriter / Frosty Neighbor)
- Activity type: Spear-phishing and credential theft
- Targets: Belarusian politicians and Ukrainian web portals
- Scale: Broad multi-national operation
- Status: Active
- Source: Censys, Resident.NGO, CERT Polska, ESET
TL;DR
A suspected UNC1151 phishing campaign targets political figures across Eastern Europe. Attackers use fake Google security alerts and clone Ukrainian portals to steal user credentials.
What Happened
Resident.NGO recently reported a spear-phishing attack against Belarusian politician Yury Hubarevich. He received a fake Gmail alert warning him about suspicious account activity. The email directed him to a compromised Ukrainian website. This site redirected him to a fake Google login page.
The attackers designed the fake login portal carefully. When a victim types their password, a background script captures it instantly. A websocket relays this data in real time to the attackers. This method allows the threat actors to bypass multi-factor authentication. They can intercept SMS codes or authentication prompts immediately.
Researchers analyzed this UNC1151 phishing email campaign and found hidden infrastructure. Censys discovered the real IP addresses hiding behind legitimate content delivery networks. A misconfigured digital certificate exposed the true Polish IP address used by the attackers.
Who Is Behind It
Analysts suspect the Ghostwriter threat actor directs this malicious activity. Security researchers track this group under the name UNC1151. This group allegedly aligns with Belarusian and Russian government interests.
The group first rose to prominence in 2020 when it hacked into legitimate media sites to publish fake stories. Since then, the actors have maintained a high operational tempo. Multiple security vendors track this group’s activities. ESET refers to the group as Frosty Neighbor. CERT Polska also monitors their ongoing operations in Eastern Europe. Researchers attribute the attacks based on shared IP infrastructure and specific digital certificates.
Impact and Scale
This UNC1151 phishing campaign reaches far beyond a single Belarusian politician. Security researchers found fake login pages for several popular Ukrainian web portals. These targets include I.UA, META.UA, and bigmir)net.
The threat actor actively phishes for credentials across national borders. They use services like Bunny CDN and Cloudflare to hide their actual servers. This slip allowed researchers to map a much wider network. The scale indicates a broad credential theft operation targeting thousands of accounts.
What Comes Next and How to Stay Protected
The Ghostwriter threat actor will likely continue targeting Eastern European activists. Their primary focus remains on political espionage and mass credential theft. Users must verify email senders before acting on security alerts.
Always check the actual URL before entering a password. Avoid clicking unexpected links inside urgent email warnings. Organizations should implement hardware security keys for all users. Physical tokens stop real-time phishing relays better than standard SMS codes. Vigilance remains the best defense against these persistent state-aligned threats.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.