Ukrainian cybersecurity officials have warned that Belarusian state-sponsored hackers are targeting the private email addresses of Ukrainian military personnel.
Announcing the activity in a Facebook post, Ukraine’s Computer Emergency Response Team (CERT-UA) said that a mass phishing campaign is targeting the private i.ua and meta.ua accounts belonging to Ukrainian military personnel.
“After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages,” it added. “Later, the attackers use contact details from the victim’s address book to send the phishing emails.”
CERT-UA has attributed the ongoing campaign to the UNC1151 threat group, which Mandiant formally linked to the Belarusian government in November 2021. Mandiant also linked the state-backed cyber-espionage group to the Ghostwriter disinformation campaign, which has been involved in spreading anti-NATO rhetoric and hack-and-leak operations throughout Europe.
“The Minsk-based group ‘UNC1151’ is behind these activities. Its members are officers of the Ministry of Defence of the Republic of Belarus,” CERT-UA wrote.
The Kyiv government also believes the UNC1151 group was behind the cyberattack that brought down Ukrainian government websites last week, Serhiy Demedyuk, the deputy secretary of the national security and defense council of Ukraine, told Reuters. Ukraine’s security services said that more than 70 state websites were attacked during the incident, 10 of which were subjected to unauthorized interference.
Mandiant’s Ben Read told TechCrunch that the security company has observed UNC1151 targeting the Ukrainian military extensively over the past two years, “so this activity matches their historical pattern.”
“These actions by UNC1151, which we believe is linked to the Belarusian military, are concerning because personal data of Ukrainian citizens and military can be exploited in an occupation scenario and UNC1151 has used its intrusions to facilitate the Ghostwriter information operations campaign,” Read added. “Leaking misleading, or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia and Belarus friendly narratives.”
“Ghostwriter has previously targeted the NATO alliance, seeking to erode support for the organization,” said Read. “I wouldn’t be surprised if similar operations were seen in the near future.”