Google’s Threat Analysis Group (TAG) has identified large-volume phishing campaigns targeting Ukrainian users and aimed at gathering intelligence and spreading disinformation. In Q1 2023, threat actors linked to Russia’s military intelligence service focused their phishing campaigns on Ukraine, with the country accounting for over 60% of observed Russian targeting.
The group identified is called FROZENBARENTS, also known as Sandworm, and it has been active since 2000. It is attributed to Russian Armed Forces’ Main Directorate of the General Staff (GRU) Unit 74455 and operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
FROZENBARENTS has sophisticated offensive capabilities, including credential phishing, mobile activity, malware, external exploitation of services, and beyond. The group targeted multiple sectors, including government, defense, energy, transportation/logistics, education, and humanitarian organizations.
It has conducted sustained cyber activity against organizations associated with the Caspian Pipeline Consortium (CPC), one of the world’s largest oil pipelines that transports oil from Kazakhstan to the Black Sea, and other energy sector organizations in Europe.
The group attempted to steal CPC employees’ credentials with a Smishing campaign aimed at distributing the Rhadamanthys information stealer.
FROZENBARENTS is also active in the IO space, using fake online personas to create and disseminate disinformation as well as leak stolen data. It promotes pro-Russia narratives against Ukraine, NATO, and the West.
Google TAG assessed that one persona, created and controlled by FROZENBARENTS actors, is “CyberArmyofRussia” or “CyberArmyofRussia_Reborn,” which has a presence on Telegram, Instagram, and YouTube.
The CyberArmyofRussia_Reborn Telegram channel was used by Russia-linked actors to leak stolen data and carry out DDoS attacks against selected targets.
The experts also analyzed a Belarusian threat actor, tracked as PUSHCHA, that has consistently targeted users in Ukraine and neighboring countries since the beginning of the conflict. The group used spear-phishing campaigns against small numbers of users in Ukraine.
Google TAG also reported the malware-based attacks conducted by the group behind Cuba ransomware to distribute RomCom RAT in the networks of the Ukrainian government and military.
