Ukraine says Belarusian hackers are targeting its military personnel

Ukrainian officials said on Friday that Belarusian state-sponsored hackers are trying to compromise the email accounts of its military personnel.

"Mass phishing emails have recently been observed targeting private 'i.ua' and 'meta.ua' accounts of Ukrainian military personnel and related individuals," Ukraine's Computer Emergency Response Team (CERT-UA) wrote in a Facebook post earlier today.

"The Minsk-based group 'UNC1151' is behind these activities. Its members are officers of the Ministry of Defence of the Republic of Belarus," officials added.

CERT-UA, which provides cybersecurity response services to the Ukrainian public and private sectors, said that once UNC1151 hackers gained access to an account, they would use the IMAP protocol to download email messages and then use the account's address book to send out new phishing messages to other targets.

The phishing campaign is currently taking place against the backdrop of Russia's invasion of Ukraine.

Belarus has played a crucial role in this invasion by hosting and allowing Russian troops to use its territory to launch attacks from Ukraine's northern border. Belarusian troops are also participating in the armed conflict.

UNC1151 has targeted Ukraine for years

In November 2021, security firm Mandiant also formally linked the UNC1151 group to the Belarusian government. It said the group was behind an operation it tracked under the codename of Ghostwriter.

In this coordinated series of attacks, UNC1151 broke into government networks to steal information, with a particular focus on Lithuania, Poland, Ukraine, and Latvia. In another series of attacks, UNC1151 also broke into news sites to plant fake news stories with an anti-NATO message and also leaked forged documents to journalists.

The UNC1151 attacks are part of a hybrid warfare strategy that Russia and its acolytes are using in Ukraine, which also included a considerable cyber component.

This included launching DDoS attacks on government websites and local banks, the deployment of data-wiping malware to destroy local computer networks, phishing attacks to compromise government accounts, waves of SMS spam messages meant to sow panic among the general population, and attempts to plant fake government data leaks.

Many of these attacks predated the invasion, others supported it, and more are expected to take place throughout the conflict.