Phishing Campaign Hits Ukraine Refugees Supporters

European government personnel involved in helping Ukraine refugees with logistics support has been the target of a spear-phishing campaign.

An analysis belonging to Proofpoint researchers unveils a spear-phishing campaign where threat actors make use of email accounts that are “possibly compromised” belonging to Ukrainian armed service members to spread phishing messages, targeting officials managing the logistics of refugees fleeing that country. The emails carry a malicious macro attachment that attempts to download dangerous malware, dubbed by the researchers as SunSeed, onto the target’s computer.

The campaign comes as Russian troops advance on Kiev, prompting hundreds of thousands of people to flee and choking Ukraine’s border crossings with several counties, including Poland, Hungary, Slovakia, and Romania. According to Proofpoint, the campaign could be an attempt to figure out where those people, as well as the resources needed to help them.

Though the targeted European officials had various expertise and job responsibilities, the attackers seemed to focus on people with responsibilities related to transportation; financial and budget allocation; administration; and population movement within Europe.

While the researchers didn’t directly attribute the campaign to a specific country or cybercrime group, they did note that from a technical standpoint it’s like previous actions tied to an attacker known as Ghostwriter, or TA445, believed to be operating out of Belarus.

That attacker also has been tied to large disinformation operations bent on manipulating European public opinion related to refugees within NATO countries, Proofpoint said.