Researchers at cybersecurity firm Proofpoint have detected a phishing campaign likely launched by a state-sponsored threat actor that targets staff at European organizations assisting the efforts to aid Ukrainian refugees fleeing the country amid of Ukraine-Russia armed conflict.
The campaign, dubbed ‘Asylum Ambuscade,’ exploited an email address, which appears to belong to a compromised Ukrainian armed service member, to infect victims with the SunSeed malware, a downloader intended for delivering additional malicious payloads.
The researchers did not specify what threat actor was responsible for the attack, but said that they found some similarities with previous campaign conducted by a hacker group known as Ghostwriter (UNC1151) linked to the Belarusian government that is currently supporting Russia’s invasion.
The researchers believe that campaign’s goal was to disrupt the logistics involved in the movement of refugees from Ukraine to neighbouring countries, such as Poland, Romania, and Hungary.
“This activity, independent of attribution conclusions, represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine,” Proofpoint said.
Cybersecurity Help’s statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war!