Curious Gorge too Curious on Russia
Share this:
Google Threat Analysis Group has reported that an APT group linked to China’s People’s Liberation Army Strategic Support Force (PLA SSF), tracked as Curious Gorge, is targeting Russian government agencies.
The Google TAG team published a report focused on cybersecurity activity in Eastern Europe. A growing number of threat actors are using the war as a lure in their attacks. The researchers also observed threat actors increasingly targeting organizations in the critical infrastructure.
“Curious Gorge, a group TAG attributes to China’s PLA SSF, has remained active against government, military, logistics, and manufacturing organizations in Ukraine, Russia, and Central Asia. In Russia, long-running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs.” wrote Google TAG Security Engineer Billy Leonard. “Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.”
TAG Statement
It also observed a Russia-linked APT28 cyberespionage group targeting users in Ukraine with a new variant of a .Net malware distributed via email attachments inside of password-protected zip files (ua_report.zip). The malware can steal cookies and saved passwords from Chrome, Edge, and Firefox browsers.
The experts also monitored spear-phishing attacks conducted by Russia-linked Turla APT aimed at defense and cybersecurity organizations in the Baltics.
Russia continues to be one of the most active states, the experts also spotted Coldriver using Gmail accounts to deliver phishing emails targeting government and defense officials, NGOs, think tanks, and journalists.
Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Google Account Level Enhanced Safe Browsing and ensure that all devices are updated.
| Threat Actor | Malicious Domains |
| GhostWriter | noreply. accountsverify[.]top |
| GhostWriter | microsoftonline. email-verify[.]top |
| GhostWriter | lt-microsoftgroup.serure-email[.]online |
| GhostWriter | facebook. com-validation[.]top |
| GhostWriter | lt-meta. com-verification[.]top |
| GhostWriter | lt-Facebook. com-verification[.]top |
| GhostWriter | secure@facebookgroup[.]lt |
| ColdDriver | cache-dns[.]com |
| ColdDriver | docs-shared[.]com |
| ColdDriver | documents-forwarding[.]com |
| ColdDriver | documents-preview[.]com |
| ColdDriver | protection-link[.]online |
| ColdDriver | webresources[.]live |
| Turla | wkoinfo.webredirect[.]org |
| Turla | jadlactnato.webredirect[.]org |
