Ukraine Refugee Aid Targeted by Phishing Campaign

European officials are being targeted by what appears to be a state-sponsored phishing campaign aimed at disrupting their efforts to help Ukrainian refugees, cybersecurity company Proofpoint said Wednesday.

According to the company’s researchers, the attackers are using what’s possibly a compromised Ukrainian armed service member’s email account to target officials managing the logistics of refugees fleeing that country. The emails carry a malicious macro attachment that attempts to download dangerous malware, dubbed by the researchers as SunSeed, onto the target’s computer.

The campaign comes as Russian troops advance on Ukraine’s capitol, prompting hundreds of thousands of people to flee and choking Ukraine’s border crossings with several counties, including Poland, Hungary, Slovakia and Romania. According to Proofpoint, the campaign could be an attempt to figure out where those people, as well as the resources needed to help them, could be headed next.

Though the targeted European officials had various expertise and job responsibilities, the attackers seemed to focus on people with responsibilities related to transportation; financial and budget allocation; administration; and population movement within Europe.

“This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries,” the researchers wrote in their report.

While the researchers didn’t directly attribute the campaign to a specific country or cybercrime group, they did note that from a technical standpoint it’s similar to previous actions tied to an attacker known as Ghostwriter, or TA445, believed to be operating out of Belarus.

That attacker also has been tied to large disinformation operations bent on manipulating European public opinion related to refugees within NATO countries, Proofpoint said.