The new threat group, which was active between April and June, attacked the Ukrainian government, various organizations in the country, and European humanitarian and non-profit organizations by launching malicious campaigns against them, according to Google’s Threat Analysis Group (TAG) - a team of security experts dedicated to protecting Google users from government-backed attacks.
“As the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers,” the analysis said.
Google’s experts first identified the threat group dubbed UAC-0098 in April, two months after Russia launched its war in Ukraine. They started tracking the group after detecting an email phishing campaign that sent out AnchorMail - a variant of the Anchor backdoor malware developed by the Conti group.
The malicious group repeatedly targeted Ukrainian hotels, although their methods and lures varied, Google noted.
In May, the group sent out emails impersonating the national cyber police of Ukraine to hospitality organizations and urged them to download a system update via email links.
In another phishing email, they used the compromised account of a hotel in India. This email account was also used to target an Italian NGO.
A few days later, the attackers impersonated representatives of Elon Musk Microsoft, targeting the Ukrainian retail, technology, and government sectors.
Towards the end of May, the attackers targeted the Academy of Ukrainian Press also via scam emails.
“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,” read Google’s threat analysis