Russia-based hackers ramping up attacks on Eastern European energy sector

Russia-based hackers stepped up attacks on Eastern Europe’s energy sector during the first three months of the year, according to new research.

In a blog post from Google’s Threat Analysis Group (TAG) on Wednesday, the researchers outline coordinated campaigns operated by several known state-backed hacking groups.

From January to March, Russian government-backed phishing campaigns targeted users in Ukraine the most — making up 60% of observed attempts.

Google tracked one group of particular note, called FROZENBARENTS, which researchers believe is run by Unit 74455 of the Russian Armed Forces’ Main Directorate of the General Staff (GRU).

“FROZENBARENTS remains the most versatile GRU cyber actor with offensive capabilities including credential phishing, mobile activity, malware, external exploitation of services, and beyond,” TAG’s Billy Leonard wrote in the post. “They target sectors of interest for Russian intelligence collection including government, defense, energy, transportation/logistics, education, and humanitarian organizations.”

The group has exploited email servers and used them to access victim networks, send malicious emails and run several information operations.

One of the most dangerous FROZENBARENTS operations tracked by TAG revolved around the Caspian Pipeline Consortium (CPC), which controls one of the largest oil pipelines in the world, moving oil from Kazakhstan to the Black Sea.

“Since November 2022, FROZENBARENTS has engaged in a sustained effort to target organizations associated with the CPC and other energy sector organizations in Europe,” Google wrote. “The first campaign targeted CPC employees, specifically the Moscow office, with phishing links delivered via SMS.”

The group then conducted multiple campaigns against energy sector organizations in Eastern Europe in which they used fake Windows update packages hosted on a domain spoofing the CPC. When opened, the update would run a version of the Rhadamanthys stealer — a malware first observed last December — to exfiltrate credentials.

In addition to its work around CPC, the group targeted the Ukrainian defense industry, military, and Ukr.net webmail users with several waves of credential phishing attacks.

The fake emails purported to be system administrator messages and were often sent through third-party email campaign management services.

Fancy Bear and ransomware

Google also tracked a range of activity from APT28, known by some researchers as Fancy Bear and by Google as FROZENLAKE. The group heavily targeted Ukraine in February and March with multiple waves of phishing emails.

APT28 also began using a tactic where they redirected users who visited Ukrainian government websites to phishing pages.

Similarly, a group based in Belarus named Puscha ran similar phishing campaigns targeting users in Ukraine.

TAG also backed up assessments from Ukraine’s Computer Emergency Response Team that the hackers behind the Cuba ransomware had shifted their focus to targeting Ukraine.

According to an advisory from several U.S. agencies last year, the ransomware group has launched attacks against at least 100 organizations around the world and brought in $60 million between December 2021 and August 2022.

But late last year, Ukrainian officials explained that the ransomware gang had shifted its focus to deploying malware on government systems. While this was a noticeable change in operations, the group – which has no connection to the island nation – was previously implicated in a wide-ranging ransomware attack on the government of Montenegro that crippled the country for weeks in September.

Google said the group, which previously appeared financially motivated, is now “behaving more similarly to an actor conducting operations for intelligence collection.”

The hackers specifically targeted attendees of the Munich Security Conference in February and the Masters of Digital conference in March using phishing URLs with spoofed domain names related to ChatGPT and its developer OpenAI. The campaigns have been relatively small in volume, sent from spoofed domains and targeted users' Gmail accounts.