Ukraine Refugee Aid Targeted by Phishing Campaign

Though it's unclear who's behind the phishing assault, researchers say it's in line with previous state-sponsored campaigns tied to an attacker in Belarus.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, two star marathoner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise Cybersecurity, Digital Privacy, IoT, Consumer Tech, Running and Fitness Tech, Smartphones, Wearables
Bree Fowler
2 min read

Hundreds of thousands of Ukrainians are fleeing their country as Russian troops advance on its capitol. 

Getty Images

European officials are being targeted by what appears to be a state-sponsored phishing campaign aimed at disrupting their efforts to help Ukrainian refugees, cybersecurity company Proofpoint said Wednesday.

According to the company's researchers, the attackers are using what's possibly a compromised Ukrainian armed service member's email account to target officials managing the logistics of refugees fleeing that country. The emails carry a malicious macro attachment that attempts to download dangerous malware, dubbed by the researchers as SunSeed, onto the target's computer.

The campaign comes as Russian troops advance on Ukraine's capitol, prompting hundreds of thousands of people to flee and choking Ukraine's border crossings with several counties, including Poland, Hungary, Slovakia and Romania. According to Proofpoint, the campaign could be an attempt to figure out where those people, as well as the resources needed to help them, could be headed next.

Though the targeted European officials had various expertise and job responsibilities, the attackers seemed to focus on people with responsibilities related to transportation; financial and budget allocation; administration; and population movement within Europe.

"This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries," the researchers wrote in their report.

While the researchers didn't directly attribute the campaign to a specific country or cybercrime group, they did note that from a technical standpoint it's similar to previous actions tied to an attacker known as Ghostwriter, or TA445, believed to be operating out of Belarus.

That attacker also has been tied to large disinformation operations bent on manipulating European public opinion related to refugees within NATO countries, Proofpoint said.