A spear-phishing campaign has been identified targeting European government personnel helping Ukrainian refugees. The campaign is still ongoing and is being tracked as Asylum Ambuscade.
According to Proofpoint, a nation-state actor is believed to have compromised a Ukrainian armed service member’s email account to target European government personnel aiding refugees fleeing Ukraine.
- The phishing messages included a weaponized macro attachment created to download the SunSeed malware.
- The attachment uses the Emergency Meeting of the NATO Security Council as a lure.
- Experts spotted similarities between the recent infection chain and other attacks observed in July 2021 (linked with the Ghostwriter APT group), suggesting the same threat actor may be behind it.
Researchers suggested the aim of the campaign could be exploiting intelligence around refugee movements in Europe for disinformation and maybe compromising NATO entities during the armed conflict between Russia and Ukraine.
Since Russia’s invasion, the Ghostwriter APT group has launched multiple attacks on the private email accounts of military personnel of Ukraine. In recent attacks, the attackers have used the compromised sender infrastructure to spread phishing emails and employed the MSI package as an installer for Lua-based malware.
For better safety, victims are urged to follow recommendations provided by security agencies and organizations that are actively tracking these cyber attacks. Here’s our live blog jotting down the progress of the same.