The Security Service of Ukraine (SSU), in collaboration with the U.S. Federal Bureau of Investigation (FBI), has uncovered a prolonged cyber espionage campaign orchestrated by Russian intelligence services. This operation targeted messaging accounts of government officials, military personnel, politicians, and activists across Ukraine, Europe, and the United States, aiming to exfiltrate sensitive information.
The attackers employed deceptive SMS messages, posing as support bots from popular messaging platforms. These messages urged recipients to disclose their account credentials, facilitating unauthorized access to private communications and personal data. The SSU emphasized that the campaign’s objective was to obtain sensitive military, political, and economic information exchanged by users, as well as to steal personal data.
While the SSU did not attribute the campaign to a specific hacking group, similar attacks targeting users of Signal and WhatsApp have been linked to Russian threat actors known as Star Blizzard, UNC5792 (also identified as UAC-0195), and UNC4221 (also identified as UAC-0185). These groups have a history of conducting sophisticated phishing operations to compromise high-value targets.
To mitigate the risks associated with such threats, the SSU recommends several precautionary measures:
- Regularly review active sessions in messaging applications and terminate any unrecognized connections.
- Enable two-factor authentication to add an extra layer of security to accounts.
- Avoid scanning QR codes from unknown sources.
- Refrain from sharing confirmation codes, PINs, passwords, or account recovery keys.
- Exercise caution when clicking on links or opening files from unfamiliar or suspicious chats.
This development aligns with the FBI’s recent identification of Russian Intelligence Services (RIS) cyber threat actors conducting ongoing phishing campaigns targeting commercial messaging applications. These campaigns aim to deceive high-value targets into divulging backup recovery keys, thereby granting attackers access to private communications.
In a related incident, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed a spear-phishing campaign targeting government organizations to the Belarus-aligned threat actor UNC1151, also known as Ghostwriter and UAC-0057. This campaign utilized compromised accounts to distribute an information-stealing malware named OYSTERBLUES.
The persistent nature of these cyber threats underscores the importance of vigilance and robust cybersecurity practices among individuals and organizations. As adversaries continue to refine their tactics, staying informed and implementing recommended security measures are crucial steps in safeguarding sensitive information and maintaining the integrity of communication platforms.
