cognitive cybersecurity intelligence

News and Analysis


Group FROZENBARENTS targets energy sector, Ukraine continues to be Russia’s primary cyber focus this year

Hey there! Let’s talk cyber threats. Recently, the clever folks over at Google’s Threat Analysis Group (TAG) identified some interesting tactics coming out of Russia — they’re particularly honed in on Ukraine. There’s this group known as FROZENBARENTS, tied to the Russian Armed forces’ Main Directorate of the General Staff. These guys seem to have a keen interest in the energy sector, and they’re not shy about their hacking and leaking operations.

Get this, the majority of Russian-backed phishing campaigns are targeting users in Ukraine – making up over 60% of the attacks we’ve seen this period. Crazy, right? FROZENBARENTS’ tool belt isn’t just filled with phishing hooks though. They’re dabbling in all sorts of shady activities like malware, exploiting external services, and even mobile intrusion.

They’ve set their sights on some pretty major sectors where Russian intelligence collection might be of interest – everything from government and defense to logistics, education, and even humanitarian organizations. It’s all part of their plan. Interestingly, their focus seems to be centered heavily on the ongoing conflict in Ukraine. This involves leaking hacked data through apps like Telegram and exploiting global mail servers.

Around late 2022, they even targeted organizations tied to the Caspian Pipeline Consortium. That’s a major oil pipeline linking Kazakhstan to the Black Sea, can you believe it? Their strategy pivoted a bit in early 2023; they began launching waves of sneaky credential phishing campaigns against the Ukrainian defense industry, military, and webmail users.

But here’s an intriguing angle — they’re not doing all this covert stuff behind the scenes. FROZENBARENTS operatives are actively creating online personas to spew pro-Russia content and leak stolen data. These guys even had their accounts shut down on YouTube and Instagram due to their activity.

Another Russian group that has caught TAG’s attention is FROZENLAKE. They’ve been honing in on Ukraine throughout 2023, reaching hundreds via mass phishing emails. By February, they started using manipulative techniques on several Ukrainian government websites to redirect users to phishing pages.

Now, it’s not just the Russians. The fine folks at TAG noticed a certain Belarusian threat actor, known as PUSHCHA, consistently zeroing in on users in Ukraine and its neighboring countries throughout the war. It’s a complex battlefield out there in the cyber realm.

Even more universally recognized groups like the Internet Research Agency have shifted their tactics. They’ve been creating content on Google products like YouTube, commenting, video upvoting, the works. They’re mostly pushing narratives that boost Russia and its business tycoons.

There’s also a fascinating case involving the Cuba ransomware group, which typically targets officials in Ukraine. Lately, they’ve veered away from ransomware ops, moving towards actions that resemble intelligence operations. TAG even saw these guys trying to get their hooks into attendees of high-profile international conferences.

Now, not all is gloom and doom – a silver lining perhaps? Ukraine’s State Service of Special Communications and Information Protection recently reported that attacks on certain sectors like finance and government have actually decreased. However, the energy sector and the media face the same level of intensity in cyber attacks.

Of course, Western authorities are not simply bystanders in all this. The UK’s National Cyber Security Centre raised the alarm about an emerging threat from state-aligned groups, likely sympathizing with Russia’s actions in Ukraine. Even the combined intelligence from U.S. and U.K security agencies noted an old enemy: APT28, known for exploiting Cisco routers.

So, that’s the lay of the cyber land! It’s a tricky, ever-evolving world out there, but as long as we remain vigilant and informed, we can stay one step ahead of these would-be cyber assailants.

by Morgan Phisher | HEAL Security

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts