One threat intelligence firm confirms that pro-Russian ransomware and phishing groups have stepped up efforts against Ukrainian military personnel and civilians.

Ukraine’s Computer Emergency Response Team (CERT.UA) recently announced that UNC1151 phishing activity had been trying to compromise the email accounts of Ukraine’s military personnel.

According to CERT-UA, “The Minsk-based group ‘UNC1151’ is behind these activities. Its members are officers of the Ministry of Defence of the Republic of Belarus.”

These actions by UNC1151 are of critical concern because the personal data of military personnel can be exploited in an occupation scenario. Said Ben Read, Director, Mandiant: “UNC1151 has used its intrusions to facilitate the Ghostwriter information operations campaign. Leaking misleading, or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia- and Belarus- friendly narratives.”

The Ghostwriter threat group, allegedly originating from Russia, had previously targeted the NATO alliance, seeking to erode support for the organization.

“We’re monitoring reports of widespread phishing of Ukrainian individuals by UNC1151. We are able to tie the infrastructure reported by CERT.UA to UNC1151, but have not seen the phishing messages directly. However, UNC1151 has targeted Ukraine and especially the Ukrainian military extensively over the past two years, so this activity matches their historical pattern,” said Read. 

On the ransomware war front, threat actors CONTI are also linked to Russia. According to the firm’s Director of Financial Crime Analysis, Kimberly Goody: “More recently, publicly reported chat logs suggest that a key player in CONTI operations may have intended to provide support for government projects. The Russian government has benefited from their relationships with cybercriminals in the past; and even if not outright directed to take action, these actors could conduct (pro-Russian) operations independently.”

Russia’s law enforcement organizations such as the FSB have an intelligence role as well, making them ideally suited to take advantage of criminals. Furthermore, DDOS capabilities, tools, and even latent infiltrated accounts can be purchased, according to Goody.