Skip links

Google: Russian credential thieves target NATO, Eastern European military

A Russian cybercrime gang has lately sent credential-phishing emails to the military of Eastern European countries and a NATO Center of Excellence, according to a Google threat report this week. 

The web giant calls the Russia-based group Coldriver, and notes it’s also known as Calisto. The cyber-gang used newly created Gmail accounts in its attempts to phish non-Gmail accounts, so Google can’t verify the success rate of the campaigns, wrote Googler Billy Leonard, a member of the cloud titan’s Threat Analysis Group.

In a report that covers active threat actor groups observed over the past two weeks, Leonard said his fellow security analysts have seen a “continuously growing number” of government-backed gangs from China, Iran, North Korea, and Russia using Ukraine-war themes to get their targets to open malicious emails and links. These messages and URLs are used to spread malware or get people to enter their usernames and passwords into pages designed to look like login pages for legit websites.

One of these crews is Coldriver, which the Google team refer to as “a Russian-based threat actor.” According to Leonard, Google hasn’t seen attackers successfully compromise any Gmail accounts in its phishing campaigns. He also listed the following Coldriver domains:

  • protect-link[.]online
  • drive-share[.]live
  • protection-office[.]live
  • Proton-viewer[.]com

Google’s report also echoes research Fortinet’s FortiGuard Labs published this week that detailed a phishing attack against a Ukrainian fuel company. The email contained a fake attached invoice, doctored to look like it came from another fuel provider, with a .zip that, when unpacked and its contents opened, drops IcedID malware on the PC. 

The Coldriver credential-stealing attempts come as several other security analysts report an increase in cyberattacks globally as the Kremlin’s war on Ukraine continues. 

According to Check Point Research’s latest numbers, both Russia and Ukraine have seen an increase in cyberattacks one month after the war started: 10 percent and 17 percent, respectively. Globally, the security shop has observed a 16 percent increase in cyberattacks since the invasion began. 

Earlier this week, Viasat released new details about a Russian attack that knocked its Ukrainian satellite broadband service offline in February. It blamed a poorly configured VPN appliance that the attacker compromised to access the trusted management section of the KA-SAT satellite network. 

Belarus, China join the phishing trip

The Google threat report also highlights Ghostwriter, a Belarusian cyber gang that is now using a browser-in-the-browser phishing technique in its credential-stealing campaigns. 

Google’s research team has seen “multiple government-backed actors” use this technique in the past, though it’s new to Ghostwriter, Leonard wrote. 

The miscreants are now using this, combined with their usual hosting of credential-phishing landing pages on compromised sites, to steal email addresses and passwords. Google’s recently observed Ghostwriter credential phishing domains include:

  • login-verification[.]top
  • login-verify[.]top
  • ua-login[.]top
  • secure-ua[.]space
  • secure-ua[.]top

Also over the past two weeks, Google security analysts have seen an uptick in Curious Gorge campaigns that target government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia. Google attributes this cybercrime gang to the China People’s Liberation Army Strategy Support Force — the cyber warfare arm of the Chinese military.

Curious Gorge IPs include:

  • 5.188.108[.]119
  • 91.216.190[.]58
  • 103.27.186[.]23
  • 114.249.31[.]171
  • 45.154.12[.]167

Leonard doesn’t provide much detail about Curious Gorge’s latest campaigns other than that their activity “largely does not impact Google products,” and that Google remains “engaged and are providing notifications to victim organizations.” ®