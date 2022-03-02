Getty

European officials are being targeted by what appears to be a state-sponsored phishing campaign aimed at disrupting their efforts to help Ukrainian refugees, cybersecurity company Proofpoint said Wednesday.

According to the company's researchers, the attackers are using what's possibly a compromised Ukrainian armed service member's email account to target officials managing the logistics of refugees fleeing that country. The emails carry a malicious macro attachment that attempts to download dangerous malware, dubbed by the researchers as "SunSeed,"onto the target's computer.

The campaign comes as hundreds of thousands of people are fleeing Ukraine as Russian troops advance on its capitol, choking its border crossings with a handful of counties including Poland, Hungary, Slovakia and Romania. According to Proofpoint, the campaign could be an attempt to figure out where those people, as well as the resources needed to help them, could be headed next.

While the European officials targeted had a verity of expertise and job responsibilities, the attackers seemed to focus on people with responsibilities related to transportation, financial and budget allocation, administration and population movement within Europe.

"This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries," the researchers wrote in their report.

While the researchers didn't directly attribute the campaign to a specific country or cybercrime group, they did note that from a technical standpoint it's similar to previous actions tied to an attacker known as "Ghostwriter," or TA445, which is believed to be operating out of Belarus.

That attacker also has been tied to large disinformation operations bent on manipulating European public opinion related to refugees within NATO countries, Proofpoint said.