According to Google’s Threat Analysis Group, FROZENLAKE’s ongoing assaults are a part of the group’s strategy to harm Eastern European webmail users, which was originally stated as the group’s objective for 2022.
A broad phishing campaign focusing on hundreds of Ukrainian users is purportedly being carried out by criminals connected with Russia’s military intelligence service. The campaign’s objective is to gather data and influence public opinion regarding the nation’s ongoing conflict.
The recent attacks, which targeted webmail users in Eastern Europe, are consistent with the tactics used by the group known as FROZENLAKE, according to Google’s TAG, which monitors the group’s activities.
The state-sponsored cyber actor, also known as APT28, Forest Blizzard, and Sofacy, has a long-standing reputation for being highly skilled and active. The group has been conducting espionage operations against media, government, and military organizations since at least 2009.
To lure users to phishing domains and steal their login information, criminals launched mirrored cross-site scripting (XSS) assaults on various Ukrainian government websites around the beginning of February 2023.
The disclosure coincided with a joint warning from U.K. and U.S. intelligence and law enforcement agencies about APT28’s use of the Jaguar Tooth malware to compromise Cisco routers by exploiting a well-known vulnerability.
Does the attacker work alone?
Following Russia’s aggression against Ukraine over a year ago, FROZENLAKE is not the only group that has turned its attention to the country. FROZENBARENTS has targeted energy-related companies in Eastern Europe, particularly those associated with the Caspian Pipeline Consortium (CPC).
Both organizations are thought to be affiliated with the GRU. APT28 belongs to the 85th Special Service Center’s (GTsSS) military intelligence unit 26165, while Sandworm is thought to be a member of the GRU’s Unit 74455.