Belarus-linked cyber attacks aim to disrupt Ukraine refugee operations

Hackers are attempting to deploy SunSeed malware to obtain intelligence on refugee movement in the region

Researchers at enterprise security firm Proofpoint have identified a new phishing campaign, allegedly linked to the government of Belarus, which is targeting European officials in an attempt to collect information on refugee and supply movement in the region.

The researchers saw the phishing emails for the first time on February 24th, naming the attacks 'Asylum Ambuscade.'

The campaign apparently originated from a compromised email account that appears to belong to a Ukrainian armed service member.

The phishing email sent from the account contained a malicious macro attachment using social engineering themes related to the NATO Security Council's Emergency Meeting on February 23rd. It also included an attachment that attempted to download SunSeed, a dangerous Lua virus.

The email targeted individuals in a variety of roles, but appears to prefer those involved in transportation, administration, money allocation and refugee mobility.

Researchers believe the goal of Asylum Ambuscade is to disrupt the logistics involved in the movement of refugees from Ukraine to neighbouring countries, such as Hungary, Poland and Slovakia.

"This campaign represents an effort to target Nato entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine," they said.

The researchers termed the campaign a "weaponisation of migrants and refugees of conflict" through a hybrid information warfare and targeted hacking approach.

While the strategies used in the attack are not new, they have the potential to be extremely powerful when used collectively and during a high-tempo fight.

As the crisis progresses, Proofpoint researchers believe similar attacks on government agencies in Nato countries are likely.

Moreover, Russia- and Belarus-backed threat groups are expected to use intelligence on refugee movements in Europe for disinformation purposes.

Proofpoint has tentatively linked the SunSeed malware-based phishing effort to a group known as Ghostwriter (Proofpoint tracks the group as UNC1151, part of TA445), which is said to be located in Belarus and said to have ties to its government.

The group was earlier the subject of an alert by Ukraine's Computer Emergency Response Team (CERT-UA).

While the connection has not been entirely proven, Proofpoint stated that the use of compromised email addresses, timeframe and victimology are all consistent with Ghostwriter's tactics.

A series of cyberattacks have targeted Ukraine in recent days, beginning shortly before Russia's invasion last week.

Official websites belonging to the Ukrainian parliament, government, and foreign ministry went offline hours before Russia invaded on Thursday.

Cyber security firm ESET said last Thursday that it had discovered data-wiping malware, dubbed HermeticWiper, circulating on hundreds of computers across the country. Initial investigation suggested that the attack had been in the works for the past couple of months.

On Wednesday, US and UK cyber security agencies published a joint Cybersecurity Advisory (CSA) detailing a new malware strain called Cyclops Blink, allegedly being used by a Russia-backed hacking group to target home and office networking devices.

Computing says:

Belarus, a state totally subservient to Russia, has a history of weaponising refugees and migrants. Throughout 2021 its leader, Alexander Lukashenko, flew thousands of migrants from the Middle East and left them at the Polish border in freezing conditions, hoping to trigger a humanitarian crisis in response to sanctions against his country. It is no surprise that the country is adopting a similar tactic in the cyber war currently raging across Europe.