"Ghostwriter Group Targets NATO Refugee Effort"

Security researchers at Proofpoint have detected a new phishing campaign linked to a notorious disinformation threat group, targeting European governments as they try to manage an influx of Ukrainian refugees.  The new phishing campaign was first spotted on February 24, and the original phishing email was sent using a compromised account belonging to a member of the Ukrainian military.  The email itself piggybacked on news of a recent UN Security Council meeting and contained a malicious XLS macro later determined to deliver the SunSeed malware.  The file itself was spoofed to appear as if it contained a recently discovered 'kill list' of Ukrainian figures drawn up by Moscow.  The timing of the phishing campaign also appeared to coincide with Ukrainian CERT warnings of widespread phishing campaigns targeting military personnel and relatives launched by Belarusian group Ghostwriter (UNC1151/TA445).  The email messages that the researchers observed were limited to European governmental entities.  The targeted individuals possessed a range of expertise and professional responsibilities.  However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.  The researchers stated that this campaign might represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries.  Although the researchers said they didn't have definitive technical evidence linking the campaign to Ghostwriter, they had spotted "several temporal and anecdotal indicators."  The researchers noted that the group could be trying to gather evidence to help craft more narratives about migrants and refugees intended to sow discord across Europe, a tactic it has used before.  TA445 has a history of engaging in a significant volume of disinformation operations designed to manipulate European sentiment around the movement of refugees within NATO countries.  The researchers noted that these controlled narratives might intend to marshal anti-refugee sentiment within European countries and exacerbate tensions between NATO members, decreasing Western support for the Ukrainian entities involved in armed conflict.  

 

Infosecurity reports: "Ghostwriter Group Targets NATO Refugee Effort"

Submitted by Anonymous on