Threat Research

Pre-war spike in phishing attacks targeting infrastructure in Ukraine

Martin Chlumecky 14 Mar 2022

It is evident that Ukrainian companies have not been spared when it comes to phishing attacks, and attackers are targeting local communication infrastructures, network providers, and other services.

We observed an increased number of phishing attacks in the Ukrainian cyberspace in February, just before Russia invaded Ukraine on February 24, 2022. The attacks we observed targeted a network infrastructure hardware producer, a domain administrator, as well as services and institutions in different areas, such as shipping, web-hosting, platforms for recruiters, and marketers. RATs (Remote Access Tools) and password stealer malware, like AgentTesla or FormBook were included as attachments in phishing emails spreading with subject lines related to invoices and payments.  We believe these attacks might have been designed to attack the country's internet infrastructure, and could be related or served to complement the DDoS attacks that were carried out against Ukraine’s Department of Defense and Banks just before Russia invaded the country.

We determined the average value of the number of phishing attacks (threshold) per day before the war in Ukraine began. We noticed two significant peaks on February 16 and February 21 to 23. The threshold value was exceeded by 272% to 494%, as seen in Figure 1, respectively.


Figure 1. Ukraine phishing attacks

The most targeted cities for the attacks were Kyiv (36%), Odessa (29%), Lviv (6%), Mariupol (5%); see Figure 2.


Figure 2. Distribution of Ukraine phishing attacks

The subject lines of the phishing emails primarily target accounting departments and include:

  • SWIFT payment
  • Invoice Payment : MT103_Swift Copy
  • Wire Transfer to your company account
  • Re: Purchase Order
  • Re: Transfer Confirmation

Email attachments contain a diverse mix of RAT and password stealer malware, like AgentTesla or FormBook.

First wave of digital attacks

We monitored the first significant peak on February 16. The largest attack that we were able to identify targeted a Ukrainian domain administrator, ukrnames.com. They also provide domain name registration, website hosting, registration of SSL certificates, and more.

The second attack wave we identified targeted a hardware supplier located in Lviv, providing equipment for network infrastructures (lanbox.com.ua).

According to our data, the site was only attacked on February 16. The vast majority of ukrnames.com attacks also occurred on February 16; only a few incidents were monitored on February 17, 18, and 21. Both the attacks on ukrnames.com and Lanbox appear to have been targeted. The following table shows the percentage ratio of the targeted attacks:

A second wave

The second wave of these digital attacks occurred from February 21 to February 23. This wave consisted of a broader range of attacks on services and institutions in different areas like shipping, web-hosting, platforms for recruiters, and marketers. We did not identify any significant attacks on a specific target in this wave.

Email attachments

The subject lines of the phishing emails, and the malware included in the attached files have helped us to identify several specific attachments used in the phishing attacks based on our mail honeypot.

The contents of the emails are disguised as standard business communications or informational emails; see example in Figure 3. The example below has been captured with our mail honeypot in 2020. The subject line of the mail (including RFQ number) and the person (Mr. Moizuddin) is identical to a suspicious email detected within the first wave of attack to ukrnames.com. The senders of both mails are different, but it is typical for phishing attacks, as mail headers are spoofed.


Figure 3. Email disguised as a purchase of a new order

The most common type of suspicious attachments have been .pdf and .docx files. These Microsoft Word documents usually contain a picture that looks like a pop-up window with a message that requests users to enable the content of the documents, which causes a run of malicious payloads, as can be seen in the pictures below, Figure 4.


Figure 4. Messages requiring “enable content”

The .docx emails only contain a picture with a message and hidden malicious macro code. Suppose the user clicks on "Enable Editing". In that case, as Figure 5 shows, the malicious payload is started and usually begins downloading malware that can take control of a victim's computer.


Figure 5. Word document requiring “Enable Editing”

The second file type is a .pdf containing one picture promising a discount on fuel if the user clicks on the image. In actuality, the user is redirected to a suspicious website with malicious contents; see examples of vouchers in Figure 6.


Figure 6. Lukoil vouchers

SMTP Honeypot

We cannot determine the exact origin of the phishing attacks within the period of interest (February 14 to 22), but we have analyzed data from an SMTP Honeypot that can approximately determine a spammer’s origin.

Long-term honeypot data indicates the spammers’ origin as follows: Vietnam (35%), Russia (18%), India (10%), Brazil (8%), and China (8%). However, the SMTP Honeypot has detected a significant increase in Russia (35%) and Brazil (31%), as Figure 7 demonstrates.


Figure 7.
Spammers’ origin distribution from February 14 to 22

Conclusion

It is evident that Ukrainian companies have not been spared when it comes to phishing attacks, and attackers are targeting local communication infrastructures, network providers, and other services. The most significant attack was performed on February 16 to one of Ukraine's domain administrators ukrnames.com.

To protect themselves, we advise users not to open and enable contents of unknown and suspicious attachments. The recent telemetry data suggests phishing attacks against Ukrainians have slowed down, which is likely due to the ongoing fighting and people spending less time online. With this in mind, we will continue to monitor phishing activities in the region.