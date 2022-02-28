State-sponsored cyber activity targeting NATO Governments to disrupt Ukrainian refugee movements – Proofpoint

March 2022 by Proofpoint

Cybersecurity researchers at Proofpoint have just released new threat intelligence showing likely Belarussian state-sponsored cyber activity targeting European government personnel involved in managing the logistics of refugees fleeing the conflict in Ukraine.

• The targeted phishing campaign, which delivers malware known as ‘SunSeed’, originates from a compromised Ukrainian armed forced service member’s email account.

• Proofpoint is tentatively attributing this activity to a threat group known as TA445 (Ghostwriter/ UNC1151), which appears to operate out of Belarus, and has a history of engaging in a significant volume of disinformation operations intended to manipulate European sentiment around the movement of refugees within NATO countries.

• These emails targeted individuals responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe, representing an attempt to gain intelligence surrounding the movement of funds, supplies, and people within NATO member countries.

In light of the ongoing Russia-Ukraine war, actions by proxy actors like TA445 will continue to target European governments to gather intelligence around the movement of refugees from Ukraine and on issues of importance to the Russian government. This activity indicates a weaponisation of migrants and refugees of war through a hybrid information warfare and targeted cyber-attack model.

Proofpoint researchers commented: “This campaign represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine. While the utilised techniques in this campaign are not ground-breaking individually, if deployed collectively, and during a high tempo conflict, they possess the capability to be quite effective. As the conflict continues, researchers assess similar attacks against governmental entities in NATO countries are likely. Additionally, the possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarussian-state techniques. Being aware of this threat and disclosing it publicly are paramount for cultivating awareness among targeted entities.”