Rise In Threat Actors Targeting European Critical Infrastructure

Google’s Threat Analysis Group (TAG) observed that Government-backed hackers from Russia, China, Iran, North Korea, and Belarus, have increasingly targeted critical infrastructure entities, including oil and gas, telecommunications, and manufacturing in its latest update. TAG has been closely monitoring the cyber activity in Eastern Europe with regard to the war in Ukraine and has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns.

The Google researchers noted in an updated blog post that in just the “past few weeks” they’ve seen at least three distinct Russian hacking groups targeting Ukraine and beyond, a Belarusian group going after “high risk individuals in Ukraine” and a Chinese hacking group running hacking campaigns against organisations in Ukraine, Russia and central Asia.

The hacking campaigns are just the latest examples of both government and non-government hacking efforts either seeking intelligence related to Russia’s invasion of Ukraine or using the invasion as a lure in phishing campaigns. Google researcher, Billy Leonard, also took a deeper look at the cyber activity observed and the actions the team has taken to protect users over the past few weeks. The threat hackers have included APT28 or Fancy Bear, Turla, COLDRIVER, Ghostwriter, and Curious Gorge.

The Russian military intelligence-affiliated Fancy Bear — also known as APT28 — has been targeting Ukrainians with a new variant of malware, distributed via email attachments inside of password-protected zip files, designed to steal cookies and saved passwords from Chrome, Edge and Firefox browsers.

Turla, a separate and well-established Russian government group that Google ties to Russia’s Federal Security Service, has been targeting defence and cyber security organisations in the Baltic’s, the researchers said. Each target received a unique link that led to a malicious .docx file that would attempt to download a unique image file, but it’s not clear what the aim was.

And a third Russian hacking group Google refers to as Cold River — known elsewhere as Callisto — continues to use Gmail accounts to send credential phishing emails to Google and non-Google accounts, the researchers wrote Tuesday. Targets include government and defence officials, politicians, non-governmental organisations and journalists.

On March 30 Google researchers pointed to Cold River activity that, for the first time, was observed targeting the militaries of multiple Eastern European countries and a NATO Centre of Excellence. Tuesday’s update notes that the campaign’s tactics, techniques and procedures have shifted slightly from phishing links directly in the emails to also linking to Google Drive and Microsoft One Drive hosted PDFs or documents.

Ghostwriter, a Belarusian government hacking effort, continues to target “high risk individuals” in Ukraine in a credential-theft campaign using compromised websites, the researchers said, although no accounts were compromised in the latest effort.

And Curious George, a Chinese-government hacking group Google ties to People’s Liberation Army Strategic Support Force, continues targeting government, military, logistics and manufacturing organisations in Ukraine, Russia and Central Asia. The group’s “long running campaigns” against Russian targets continue, including against the Russian Ministry of Foreign Affairs. In just the last week, Google researchers identified unspecified “additional compromises” impacting multiple Russian defence contractors, manufacturers and an unnamed Russian logistics company.


Secure your peace of mind