Security Experts:

Connect with us

Hi, what are you looking for?



Hacked Ukrainian Military Emails Used in Attacks on European Governments

Staff at European government organizations have been receiving malicious emails that appear to be coming from email accounts belonging to members of the Ukrainian military.

Staff at European government organizations have been receiving malicious emails that appear to be coming from email accounts belonging to members of the Ukrainian military.

Russia’s war with Ukraine is taking place both in the real world and in cyberspace, with state-sponsored units and hacktivists fighting for both sides. The online battle has involved a wide range of tactics and tools, including distributed denial-of-service (DDoS) attacks, malware, data leaks, and misinformation.

Shortly after Russia launched its invasion, the Ukrainian government warned that phishing emails had been sent to email addresses belonging to Ukrainian military personnel and related individuals. The attack has been attributed to UNC1151, a threat actor previously tied to Belarus and possibly Russia, and which specializes in disinformation campaigns.

Cybersecurity firm Proofpoint, which tracks the threat group as TA445, on Wednesday reported seeing the email accounts of European government personnel involved in managing the Ukrainian refugee crisis receiving malicious emails from a possibly compromised email account belonging to a Ukrainian armed service member.

While Proofpoint has not found definitive evidence, the timing and goal of the campaign suggest that the emails sent to European officials could represent the next stage of the phishing attacks that the Ukrainian government warned about.

The emails sent to European government personnel referenced a recent emergency meeting of the NATO Security Council. The message carried an attachment — a macro-enabled XLS file — that was set up to deliver a piece of malware named SunSeed. This malware is a downloader that is likely used by the attacker to deliver additional malicious payloads to the compromised devices.

[ READ: Russia, Ukraine and the Danger of a Global Cyberwar ]

The campaign, which Proofpoint tracks as Asylum Ambuscade, may be aimed at collecting information on refugee movements out of Ukraine, as well as details on the funds, supplies and logistics used by Europe to manage the crisis.

“The targeted individuals possessed a range of expertise and professional responsibilities,” Proofpoint explained in a blog post. “However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe. This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries.”

Ukraine’s IT Army, created shortly after Russia launched its invasion, now counts roughly 260,000 members.

An individual who uses the online moniker CyberKnow has compiled a list of the various hacker groups supporting both Russia and Ukraine. There are currently more than 30 groups on the list.

One of the groups targeting Ukraine appears to be based in Brazil and, according to WordPress security company Defiant, it has hacked the websites of tens of Ukrainian universities since the conflict started.

Unsurprisingly, profit-driven cybercriminals are trying to take advantage of the conflict. Anti-phishing solutions provider Cofense has reported seeing several spam campaigns whose goal is to steal data and scam users.

Related: Cyber Incident Disclosure Bill Passes in Senate Amid Fears of Russian Attacks

Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen

Related: Conti Chats Leaked After Ransomware Gang Expresses Support for Russia

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.