- From Alerts to Action: How AI Empowers SOC Analysts to Make Better Decisions
- Herencia, propósito y creatividad confluyen sobre un manto tecnológico en los irrepetibles UMusic Hotels
- OpenAI, SoftBank, Oracle lead $500B Project Stargate to ramp up AI infra in the US
- 오픈AI, 700조원 규모 'AI 데이터센터' 프로젝트 착수··· 소프트뱅크·오라클 참여
- From Election Day to Inauguration: How Cybersecurity Safeguards Democracy | McAfee Blog
Ghostwriter Group Targets NATO Members Managing Refugees
Security researchers have detected a new phishing campaign linked to a notorious disinformation threat group, which is targeting European governments as they try to manage an influx of Ukrainian refugees.
First spotted on February 24, the original phishing email was sent using a compromised account belonging to a member of the Ukrainian military, according to Proofpoint.
The email itself piggybacked on news of a recent UN Security Council meeting, and contained a malicious XLS macro later determined to deliver the SunSeed malware. The file itself was spoofed to appear as if it contained a recently discovered ‘kill list’ of Ukrainian figures drawn up by Moscow.
The timing also appeared to coincide with Ukrainian CERT warnings of widespread phishing campaigns targeting military personnel and relatives and launched by Belarusian group Ghostwriter (UNC1151/TA445).
“The Proofpoint-observed email messages were limited to European governmental entities. The targeted individuals possessed a range of expertise and professional responsibilities. However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe,” Proofpoint explained.
“This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries.”
Although Proofpoint said it didn’t have definitive technical evidence linking the campaign to Ghostwriter, it had spotted “several temporal and anecdotal indicators”.
It could be that the group is gathering evidence to help craft more narratives about migrants and refugees intended to sow discord across Europe, a tactic it has used before.
“TA445, which appears to operate out of Belarus, specifically has a history of engaging in a significant volume of disinformation operations intended to manipulate European sentiment around the movement of refugees within NATO countries,” Proofpoint concluded.
“These controlled narratives may intend to marshal anti-refugee sentiment within European countries and exacerbate tensions between NATO members, decreasing Western support for the Ukrainian entities involved in armed conflict. This approach is a known factor within the hybrid warfare model employed by the Russian military and by extension that of Belarus.”
