Ukraine's National Cyber Security Coordination Center (NCSCC) has issued a warning about a new phishing campaign led by the Russian-backed cybercriminal group APT28. The group specifically targets Ukrainian Defense Forces using phishing tactics to gain access to military email accounts, NCSS warned.

The phishing campaign involves creating websites resembling ukr[.]net, with slight URL differences to deceive users into entering their data.

In one instance, hackers crafted an HTML page imitating military operational information related to the Russian invasion, leading users to a fake login page. Another tactic involves sending emails claiming the account was compromised, and providing a link to reset the password. Clicking on the link launches a Browser in browser attack, embedding a fake page for entering ukr[.]net credentials. In both scenarios, stolen credentials are sent to a command and control server, where the group attempts to escalate privileges within the system.

The actor-controlled server is identified as an Ubiquiti Edge router, which is consistent with APT28's previous use of pre-compromised Ubiquiti Edge routers in exfiltrating data during phishing campaigns.

Why does it matter?

The NCSCC's alert, shared on various social media platforms and subsequently disseminated by Ukraine's IT Army, underscores the persistent cyber threats amid the ongoing conflict in Ukraine.