Cybersecurity researchers have been warning us that the war in Ukraine is driving an increase in cyberattacks. And according to Google's threat analysis group, that's what's happened over the past few weeks, with government-backed actors from countries like Russia, North Korea, China, and Iran all reportedly targeting critical infrastructure with previously recognized attack types. Thankfully, Google's also doing something about it.
Back in March, Google warned us all that state-sponsored hackers from China had started targeting Ukraine. Almost immediately, it began shoring up security measures, documenting its efforts to keep customers safe.
More recently, on April 20th, the CISA issued an alert in partnership with cybersecurity authorities from other governmental agencies regarding multiple Russian-state-backed attack types and groups, warning everyone to keep an eye out for them. These are groups and attacks with fanciful names like "Berserk Bear," "Cozy Bear," "Fancy bear" (spoiler, there are a lot of bears here), "Mummy Spider," and "Wizard Spider," among others. The agency offered Mitigation approaches for the reported attacks and groups, together with general cybersecurity advice — "what to do if your company gets hacked as part of this and how to prevent it," basically.
The government-announced alert affecting infrastructure was only recently publicly issued, but researchers have been wary for months now, and Google has been on the ball, doing what it can to help prevent some of these attacks from succeeding. Sophisticated as the attack vectors might be once fully active, many of them still rely on relatively basic means of intrusion, capitalizing on our collective passion over the war to coax folks into simple things like opening malicious emails and clicking links.
An image of a Google Drive-based attack and a Google-spoofing phishing attack. Both images via Google.
Some of these attacks try to do things like steal cookies and saved passwords from browsers, including Google's Chrome (as well as Edge and Firefox); others are phishing attacks taking advantage of everything from Google Drive and Microsoft One Drive to more basic site spoofing. Many of these attacks are highly targeted — "Curious George" was observed attacking military, logistics, and manufacturing organizations in Ukraine, while "Ghostwriter's" campaign aimed to phish Gmail account credentials for specific, "high-risk" individuals in Ukraine.
According to Google, it has identified websites and domains used by these attacks and added them to its Safe Browsing lists to decrease the chances that unwary users end up on them and vulnerable, together with other mitigation efforts. Gmail and Workspace users that have been subject to targeted government-backed attacks have been alerted and encouraged to take simple steps to enhance their security — steps like flipping on the Enhanced Safe Browsing feature and making sure you install the latest updates on your devices (advice that Google recommends for anyone that could consider themselves a potential target).
Google's efforts have been so successful that the company says attacks from certain sources, like Ghostwriter's recent phishing campaign, have seen zero successful compromised Google accounts, but the fight continues. Microsoft also recently illuminated some of the cyberattacks that its security researchers have spotted and helped fight in Ukraine, operating under the assumption that Russian state-backed attacks will increase as the war wages on.
Google also recently highlighted the ways it has financially helped the Ukrainian people, providing grants to humanitarian organizations like the International Rescue Committee, pointing out that it's provided cumulatively over $45 million in donations and grants to various groups, plus pro-bono work for organizations.
If you'd like to donate to any humanitarian groups or the Ukrainian people, we put together a list of organizations that can use your help.