Phishing attacks become the new norm: Russia and China target diplomats

Google reports that Russian and Belarusian hackers target Ukrainians and European allies with phishing attacks

Hacking groups launch phishing campaignsRussian hackers spread phishing attacks for credential recording

During the war in Ukraine, Russia also works in more ways than one to affect the entities. Various threat actors and hacker groups like Fancy bear,[1] Ghostwriter, Mustang Panda launched targeted phishing campaigns against Ukraine, Poland, other EU countries that are against the Russian invasion of Ukraine. Google Threat Analysis Groups reports that two domains used by the nation-state group FancyBear got taken down.[2]

Belarus has also conducted widespread phishing attacks against members of the Polish military and Ukrainian officials, according to the security research reports. The past two weeks showed that attack groups linked to the Russian GRU military intelligence unit become particularly targeted and active. It is not confirmed that any of the discovered attacks were successful since these attacks were not aimed at Google email accounts.[3]

These large phishing campaigns[4] were launched against users of – a media organization in Ukraine. Emails from particular compromised accounts of email services aimed to trigger the users into allowing the login processes on fake pages.

The Computer Emergency Response Team of Ukraine has recently released the advisory noting about possible phishing campaigns targeting the users with messages counting links to attacker-controlled pages including credential harvesting pages. Threat activities were related to webmail users of,,,, These email providers were more targeted by the Belarusian threat actor group named Ghostwriter aka UNC1151.

Hackers from China target EU diplomats

These recent reports of phishing attacks and campaigns with the aim of gathering information mainly involve state-backed attackers. The China-aligned group named TA416 or Mustang Panda has been targeting European diplomats since August 2020.[5] The more recent attacks involve additional lures related to the Russian invasion of Ukraine.

These cyber-espionage attacks against European Union focus on a long-term role without reaping opportunistic gains. The group keeps their tools and tactics the same for a while, but themes of phishing attacks get refreshed. These actors impersonate organizations based in Europe and targets governments in the European Union.

Malicious emails in the campaign contain DropBox URLs with the PlugX malware versions. The particular virus was deployed before in the campaign targeted against Australian organizations. The group has been distributing various malware like this to trigger later virus deployment, execute code, hijack processes or collect various data from the machines.

The aftermath of phishing attack

Russian hackers keep on attacking Ukrainian information resources and aim to take down various news sources, take over the service and information sharing. This is where DDoS attacks come because such a technique allows hackers to shut down the pages. However, sites of central government bodies are still working properly. These attacks are even aimed at the humanitarian aid organizations working to help refugees.

Anonymous hackers, however, took down the websites of the Federal Security Service of Russia and still releases various attacks to stop propaganda channels online. Live feeds of various Russian TV channels have also been intercepted. Streaming services like Russia 24, Channel one, Moscow 24, Wink have been interrupted to stream footage from the war zone.

Various sanctions against the country for being the aggressor in this war connect to the stopped services all over the world and companies backing from the relations in Russia. Russia also gets counterattacks by the formed IT Army initiative that relies on stopping these cyber attacks on allies.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions