You are using an older browser version. Please use a supported version for the best MSN experience.

Belarus conducted widespread phishing campaigns against Ukraine, Poland, Google says

The Washington Post logo The Washington Post 3/7/2022 Joseph Menn
GRU headquarters in Moscow. © NATALIA KOLESNIKOVA/AFP/Getty Images GRU headquarters in Moscow.

Belarus conducted widespread phishing attacks against members of the Polish military as well as Ukrainian officials, security researchers said Monday, providing more evidence that its role in Russia’s invasion of Ukraine has gone beyond serving as a staging area for Russian troops.

Google’s threat-hunting team released details of the tricks deployed against the Polish military, which a spokeswoman said appeared to be the first report of its kind. Google said it had warned hundreds of Ukrainian residents about government-backed hacking attempts in the past year, most of them from Russia.

Google’s Threat Analysis Group said it did not know if any of the attempts had succeeded, since they were not aimed at Google’s email accounts.

In the past two weeks, the attack group known as Fancy Bear, which is associated with Russia’s GRU military intelligence unit, launched several large phishing campaigns against users of, a Ukrainian media organization, Google said. The emails came from compromised accounts and led targets to fake log-in pages.

Even more recently, in the days since Russia invaded Ukraine with logistical help from Belarus, a hacking group in Belarus known as Ghostwriter has used phishing to try to get credentials of Ukrainian government officials and members of the Polish military, Google said.

In a statement, Google said the phishing emails had been sent from “a large number of compromised accounts and include links to attacker controlled domains.”

Video: Russians abroad feel the pinch from sanctions (Reuters)

“In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages,” where users are asked to enter their passwords, which are then captured. “All known attacker-controlled Blogspot domains have been taken down.”

The Ghostwriter attacks all took place in the last week “against Polish and Ukrainian government and military organizations,” Google said.

Google also said it had detected a China-based “threat actor,” Mustang Panda, attempting to plant malware in “targeted European entities with lures related to the Ukrainian invasion.” It did not name the organizations targeted but said the campaign “represented a shift from Mustang Panda’s regularly observed Southeast Asian targets.”

Not known as a significant force in hacking, Belarus was named by security firm Mandiant in November as behind hacking attempts in Poland and Lithuania.

The same group was identified by Google as also behind misinformation campaigns in neighboring countries, many of them critical of NATO, Mandiant said.

“These guys have been targeting Poland even before the war, it’s a natural enemy,” said Jaime Blasco, co-founder of start-up Nudge Security.

There was a significant increase in that activity as refugees streamed into Poland, Blasco said.

Ukrainian cyberdefense officials said last month that the Belarus group had tried phishing the personal email accounts of its military.

The hackers have also gone after people inside Belarus, which has been harshly divided since an election prompted mass demonstrations and more than 20,000 arrests and detentions in 2020.


More from The Washington Post

The Washington Post
The Washington Post
image beaconimage beaconimage beacon