Users of Telegram accounts are not safe anymore after Ukraine’s technical security and intelligence service released a warning that a new wave of cyberattacks is targeting them using malicious links. These malicious links are sent to Telegram recipients via a fake warning that a login attempt had been detected from a device in Russia and urging the victim to click on a link.
If the victims click on the links, hackers can gain unauthorised access to their records, including stealing their one-time passwords (OTP) from their text message inboxes. The campaign had been linked to a threat group called UAC-0094.
The malicious phishing links require the victims to input their mobile numbers and OTPs, allowing the threat actors to take over their Telegram accounts.
Analysts observed a similarity in this ongoing campaign to a March phishing attack operation that exploited compromised inboxes of Indian firms to distribute phishing emails to the users of UKR[.]NET and take over their accounts.
Ukraine’s Computer Emergency Response Team (CERT-UA) also analysed another social engineering campaign involving war-related phishing emails sent to Ukrainian government agencies for threat actors to launch cyberespionage campaigns and spread malware. An HTML file attachment titled ‘War Criminals of the Russian Federation.htm’ is attached to the phishing email intended to execute a PowerShell-based implant on the victims’ devices.
This attack campaign is attributed to the Russian-based Armageddon threat group associated with the Federal Security Service (FSB) – an agency known for attacking Ukrainian enterprises since 2013. Armageddon was seen last February 2022 conducting an espionage attack against the government and NGOs, military, judiciary, and non-profit groups, aiming to steal sensitive data from the victims.
CERT-UA also found several other phishing campaigns from the past weeks that deployed various malware strains, such as SPECTR, GrimPlant, GraphSteel, LoadEdge, and HeaderTip.
Several security analysts have also observed hacking groups attacking Ukrainian entities within March 2022, including the ICTV television network, through a spear-phishing operation that leads to the delivery of the GrimPlant backdoor.
These disclosures of successive attack campaigns targeting numerous entities worldwide come from various APT groups that leverage the current war between Russia and Ukraine, making the situation an excuse to stage malicious activities.