Belarusian hackers are actively supporting the Russian government in attacking Ukraine. The group known as “Ghostwriters”, UNC1151 and TA445 (Threat Actor 445) apparently hacked the account of a member of the Ukrainian Armed Forces.
The group is now using it to amplify the Russian government’s disinformation campaigns, as well as gather intelligence on the movement of funds, supplies and people within NATO member states. The campaigns primarily target people in European institutions who are responsible for transport, financial and budget allocation, administration and population movements in Europe. The experts at the US cybersecurity company Proofpoint have now found this out and immediately made the information available to the public.
According to experts from Proofpoint and other cybersecurity companies, ghostwriters is a group that is likely to be actively supported, possibly even encouraged, by the Belarusian authorities. In the past, TA445 has attracted attention with disinformation campaigns to manipulate sentiment in Europe regarding the refugee movement within NATO countries.
The targeted phishing campaign now underway, attempting to distribute malware called “SunSeed”, is being distributed via a compromised email account of a member of the Ukrainian Armed Forces.
With Russia’s ongoing war of aggression against Ukraine, proxy actions such as TA445 will continue to target European governments to gather intelligence on the refugee flows from Ukraine and on issues of concern to the Russian government.
“This campaign represents an attempt to attack NATO facilities using compromised Ukrainian military accounts. This is currently happening in parallel during the armed conflict between Russia, its accomplices and Ukraine. While the techniques used in this campaign aren’t particularly noticeable individually, they can have a big impact collectively and very quickly during a conflict,” say Proofpoint’s experts. “As the conflict unfolds, we believe similar attacks on government offices in NATO countries are likely. Furthermore, the possibility of using intelligence information about refugee movements in Europe for disinformation purposes is a tried and tested part of the Russian and Belarusian modus operandi of criminal hackers on behalf of their governments. Being aware of this threat and making it public is paramount to raising awareness of those targeted by these digital attacks.”