Charities and aid organizations in Ukraine attacked with malware
Charities and non-governmental organizations (NGOs) providing essential support in Ukraine are being targeted by malware attacks aimed at disrupting their operations and relief efforts to help those affected by war in Russia.
Amazon detected these attacks while working with employees of NGOs, charities and humanitarian organizations, including UNICEF, UNHCR, World Food Programme, Red Cross, Polska Akcja Humanitarna and Save the Children.
“While we are seeing an increase in activity from malicious state actors, we are also seeing a higher operational tempo by other malicious actors,” Amazon said.
“We have seen several situations where malware has been specifically targeted at charities, NGOs and other humanitarian organizations in order to confuse and cause disruption.
“In these particularly egregious cases, malware has been targeted to disrupt relief efforts for medical supplies, food and clothing.”
Phishing attacks against aid for European refugees
Proofpoint researchers spotted similar activity, observing spear-phishing attacks targeting European government personnel involved in logistical support for Ukrainian refugees.
Emails sent during the attacks delivered malicious macro attachments that downloaded Lua-based malware called SunSeed, which was used to deliver additional payloads to compromised devices.
The campaign, dubbed the Asylum Ambush, only targeted NATO entities using the compromised email account of a member of the Ukrainian Armed Forces.
Based on the infection chain, it aligns and is likely related to the July 2021 phishing attacks linked to the Belarusian threat group Ghostwriter (also known as TA445 or UNC1151).
Facebook and the Computer Emergency Response Team of Ukraine (CERT-UA) have also warned against Ghostwriter phishing campaigns against Ukrainian officials and military personnel.
Prior to Russia’s invasion, Ukraine’s Security Service (SSU) said the country was being hit by a “massive wave of hybrid warfare”.
This deluge of attacks included DDoS attacks against Ukrainian government agencies and state banks, phishing targeting the Ukrainian military, as well as several rounds of destructive malware attacks. [1, 2].