Google LLC on Tuesday released new details about a series of state-sponsored Russian hacking campaigns targeting Ukraine.
The hacking campaigns were discovered by the search giant’s Threat Analysis Group. Billy Leonard, a security engineer with the Threat Analysis Group, described the cyberattacks in a blog entry.
Google researchers have identified a hacking campaign in which Turla, a threat actor associated with Russia’s Federal Security Service, used malicious Android apps to attack users. The apps were allegedly designed to launch denial-of-service attacks against a number of Russian websites. According to Google, download links to the apps were distributed via messaging services.
“This is the first known instance of Turla spreading Android-related malware,” explained Leonard. “We believe there hasn’t been a major impact on Android users and that the number of installs has been minimal.”
Google also detected cyberattacks carried out by APT28 and Sandworm, two threat groups linked to Russian intelligence agencies. The cyber attacks exploited a Windows vulnerability known as Follina discovered earlier this year. The vulnerability, which has since been patched, enables hackers to penetrate affected Windows computers with malicious Office documents.
One of the Follina-based hacking campaigns targeted media organizations in Ukraine. “Using compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, the Sandworm campaign primarily targeted media organizations in Ukraine,” Leonard noted.
Google has also uncovered three other hacking campaigns as part of its recent cybersecurity research efforts. Each campaign is run by a different threat actor.
Google discovered that the Russia-based hacking group COLDRIVER is using phishing emails to target government and defense officials, politicians, NGOs, think tanks and journalists. Google also found that Ghostwriter, a hacking group with ties to Belarus, is targeting the email and social media accounts of users in Poland.
Additionally, the search giant’s cybersecurity experts have observed an increase in the number of financially motivated threat actors targeting Ukraine. One of these threat actors recently ran a hacking campaign using the Follina vulnerability to proliferate malicious files.
“We believe this actor is a former ransomware first access broker who previously worked with the Conti ransomware group that created the IcedID banking Trojan based on infrastructure overlap, tools used in previous campaigns and expelled a unique Kryptor,” Leonard wrote.
The work of the Threat Analysis Group, the Google entity that discovered the hacking campaigns detailed this week, is part of a broader effort by the search giant to make the internet safer. Google also operates one initiative called Google Safe Browsing, which focuses on blocking malicious websites. The initiative helps block malicious websites in Android, Chrome and several third-party browsers, as well as several other software platforms.