A sophisticated phishing campaign orchestrated by the hacker group UNC1151, also known as Ghostwriter, has recently targeted Yury Hubarevich, a prominent Belarusian pro-democracy politician. This incident underscores the persistent efforts of state-aligned cyber actors to undermine political opposition through digital means.
UNC1151 has a history of cyber activities that align with the interests of the Belarusian government and, by extension, Russia. The group gained notoriety in 2020 for infiltrating legitimate news websites to disseminate disinformation, a tactic that earned them the moniker Ghostwriter. Their operations have since expanded to include spear-phishing campaigns across Eastern Europe, with a particular focus on Poland and Ukraine.
In the recent attack on Hubarevich, the group employed a deceptive email written in Russian, alerting him to alleged suspicious activity on his Google account and urging immediate verification of his login credentials. This social engineering tactic exploits the recipient’s fear of unauthorized access to prompt hasty action.
The email contained a link that redirected Hubarevich to a compromised Ukrainian website, which then forwarded him to a counterfeit Google login page designed to closely mimic the authentic interface. Notably, the fake login page featured a background websocket connection that transmitted any entered information directly to the attackers in real time. This method effectively bypassed SMS-based and one-time password multi-factor authentication, rendering even users with enhanced security measures vulnerable.
Upon submission of credentials, the victim was presented with a message stating, “Account verification has been initiated successfully. You’ll receive further information within 24 hours,” in Russian. This message aimed to allay suspicion and prevent immediate action that could disrupt the attack.
To obscure their activities, the attackers utilized Bunny CDN, a content delivery network, to mask the true IP addresses of their phishing infrastructure. However, investigators identified a certificate associated with one of the phishing domains that was publicly visible on the IP address 45.194.44.44, hosted in Poland under Datagear. This discovery provided a crucial lead into the broader network of phishing domains employed by UNC1151.
Further analysis revealed that this phishing attempt was not an isolated incident but part of a larger credential-theft operation targeting individuals in Belarus and Ukraine. By examining certificate data and infrastructure patterns, researchers uncovered a network of phishing domains actively harvesting login credentials from victims across multiple countries.
This campaign highlights the evolving tactics of state-sponsored threat actors like UNC1151, who continue to refine their methods to bypass security measures and exploit human vulnerabilities. The use of real-time data transmission and content delivery networks to conceal infrastructure demonstrates a high level of sophistication and adaptability.
For individuals and organizations, especially those involved in political activism or opposition, this incident serves as a stark reminder of the importance of vigilance against phishing attacks. Implementing robust security practices, such as hardware-based security keys for multi-factor authentication and regular security awareness training, is essential to mitigate the risk posed by such targeted cyber threats.
As state-aligned cyber operations become increasingly sophisticated, staying informed about emerging tactics and maintaining a proactive security posture are crucial steps in defending against these persistent threats.
