Ghostwriter Group Targets NATO Members Managing Refugees
Security researchers have detected a new phishing campaign linked to a notorious disinformation threat group, which is targeting European governments as they try to manage an influx of Ukrainian refugees.
First spotted on February 24, the original phishing email was sent using a compromised account belonging to a member of the Ukrainian military, according to Proofpoint.
The email itself piggybacked on news of a recent UN Security Council meeting, and contained a malicious XLS macro later determined to deliver the SunSeed malware. The file itself was spoofed to appear as if it contained a recently discovered ‘kill list’ of Ukrainian figures drawn up by Moscow.
The timing also appeared to coincide with Ukrainian CERT warnings of widespread phishing campaigns targeting military personnel and relatives and launched by Belarusian group Ghostwriter (UNC1151/TA445).
“The Proofpoint-observed email messages were limited to European governmental entities. The targeted individuals possessed a range of expertise and professional responsibilities. However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe,” Proofpoint explained.
“This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries.”
Although Proofpoint said it didn’t have definitive technical evidence linking the campaign to Ghostwriter, it had spotted “several temporal and anecdotal indicators”.
It could be that the group is gathering evidence to help craft more narratives about migrants and refugees intended to sow discord across Europe, a tactic it has used before.
“TA445, which appears to operate out of Belarus, specifically has a history of engaging in a significant volume of disinformation operations intended to manipulate European sentiment around the movement of refugees within NATO countries,” Proofpoint concluded.
“These controlled narratives may intend to marshal anti-refugee sentiment within European countries and exacerbate tensions between NATO members, decreasing Western support for the Ukrainian entities involved in armed conflict. This approach is a known factor within the hybrid warfare model employed by the Russian military and by extension that of Belarus.”