Hacking groups are exploiting Russia's invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more.

Government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber-criminal gangs, have been detected using various themes related to the war in Ukraine to lure people into becoming victims of cyberattacks.

Among these are a Russian-based hacking group known as both Coldriver and Calisto. Their targets have included several US-based NGOs and think tanks, military of multiple Eastern European countries, the military of a Balkans country, a Ukraine-based defence contractor and a NATO Centre of Excellence.

These particular campaigns use newly created Gmail accounts to send phishing emails. The links are designed to steal usernames and passwords from victims. Ghostwriter another a cyber-threat group, working out of Belarus, is using phishing attacks to simulate a browser within the browser.

Spoofing legitimate websites

The aim is to spoof legitimate web domains and use them to host spoof websites designed to steal login credentials. Once a user enters their username and password, the details are sent to a domain controlled by the attacker, where they are stored and can be exploited for further malicious activity in the future such as ID theft.

Another cyber-criminal operation is impersonating military personnel and demanding payments for rescuing relatives stuck in Ukraine.

These moves are hardly surprising. Cyber villains will use whatever they can to launch attacks as evidenced by the Covid-19 pandemic and the following lockdowns, which were quickly exploited.

Checking domain names

We’ve mentioned several times in these blogs how you can identify phishing emails. Here’s a brief look at how scammers imitate legitimate organisations by tweaking domain names, that is, the bit after the @ symbol. So as well as looking at the content of an email for spelling errors, suspicious attachments and links, and ‘pushy’ messages also check the domains for the following two points.
  • The message is sent from a public email domain. No legitimate organisation will send emails from an address that ends ‘@gmail.com’. Most organisations, except some small operations, will have their own email domain and company accounts. For example, legitimate emails from Google will read ‘@google.com’.

    If the domain name matches the apparent sender of the email, the message is probably legitimate. However, if the email comes from an address that isn’t affiliated with the apparent sender, it’s almost certainly a scam.
  • The domain name is misspelt. - The problem is that anyone can buy a domain name from a registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.

    For instance, scammers have registered the domain ‘microsfrtfonline.com’, which to a casual reader mimics the words ‘Microsoft Online’. This could reasonably be considered a legitimate address. However, look closely for spelling errors. Scammers rely on people giving no more than a cursory glance at the domain name, and as such it’s easy to be fooled.