Cyber criminals are ‘drinking the tears’ of Ukrainians

In biology, when an insect drinks the tears of a large creature, it is called lachryphagy. And in cyberspace, malicious actors are likewise “drinking tears” by exploiting humanitarian concerns about the war in Ukraine for profit. Different forms of deception include tricking people into donating to bogus charities, clicking on Ukraine-themed malicious links and attachments, and even impersonating officials to extort payment for rescuing loved ones.

It is an unfortunate reality that cyber opportunists are engaging in lachryphagy to exploit humanitarian concerns about the war for profit or data collection. To date, one of the largest cryptocurrency scams involving fraudulent Ukrainian relief payments totaled $50 million in March, the Wall Street Journal reports.

Immediately following Russia’s invasion of Ukraine, cybersecurity companies warned the public that criminals were preying on Ukrainian relief fundraising efforts with cryptocurrency scams. Bitdefender Labs reports that cybercriminals have impersonated Ukrainian government entities and charitable organizations such as UNICEF, and the Australian humanitarian agency, Act for Peace. “Some [scammers] are even pretending to be Wladimir Klitschko, whose brother Vitali is mayor of Ukraine’s capital, Kyiv,” according to the BBC.

Hackers copy the message format of legitimate organizations to trick and exploit people’s genuine concerns. Bitdefender estimates “the variety of phishing and malware campaigns, as well as the volume of messages sent daily, [will] increase steadily,” and that attackers will continue to adapt their methods and techniques. In response to this mounting threat, the United Kingdom’s National Fraud & Cyber Crime Reporting Centre issued a public advisory on cryptocurrency investment scams capitalizing on the crisis. 

Apart from fueling criminal enterprises, some cyber actors are also leveraging the war for cyberespionage purposes. State-sponsored actors from China, Russia, Iran and North Korea are using Ukraine-war related content as phishing lures for cyberespionage activities. This includes fooling targets into clicking on malicious email links and opening attachments embedded with malware. For example, Google’s Threat Analysis Group issued an advisory notice about a China-based threat actor, “Mustang Panda,” targeting European entities by using phishing lures related to the war in Ukraine. One malicious zip file was titled “Situation at the EU borders with Ukraine.zip,” which, upon execution, “downloads several additional files that load the final payload.” 

Recently, Ukraine’s Cyber Emergency Response Team (CERT) published a threat report about a malicious email campaign using the subject line “Volodymyr Zelensky presented the Golden Star Orders to servicemen of the Armed Forces of Ukraine and members of the families of the fallen Heroes of Ukraine.” This fake email header was designed to deceive targets into clicking on the link, which contained a malicious JavaScript code that would “add a third-party email address to the configuration of the victim’s email account in order to then forward user emails to it.”

In addition to malicious clickbait, Google’s Threat Analysis Group reported that the cyber threat actor “Curious Gorge,” affiliated with China’s People Liberation Army Strategic Support Force, is targeting government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia. In response to the increased targeting of Ukrainian websites, Google expanded its free Project Shield service, which now supports more than 150 licensed Ukrainian websites.

Writing in The Atlantic, Eliot A. Cohen reasons that the Ukraine war is entering into a new, “possibly decisive” phase in which the “United States and its allies can tip the balance between a costly success and a calamity.”

As part of this new phase, the world may observe more audacious cyber operations, such as the February hack of European satellite modems supplied by Viasat, a U.S. satellite company. On Feb. 24, hackers used wiper malware to sabotage Viasat’s modems in Ukraine. This malware, named “AcidRain” by Sentinel One, also disrupted internet services across Europe and 5,800 Enercon wind turbines in Germany. Though the attack has not been publicly attributed by U.S. government officials, the Cybersecurity and Infrastructure Agency (CISA) and the FBI are urging satellite communication providers and customers to implement specific risk mitigation measures and to report cyber incidents.

Collaboration between the public and private sectors, and with international government agencies, to neutralize malicious cyber activity is a potent vanguard. The joint U.S. government agency alert on April 13 about malware called “PIPEDREAM” (also called “INCONTROLLER”) is a model example of cross-industry cooperation and communication to thwart malicious cyber activity. The malware was designed to target industrial control systems and supervisory control and data acquisition devices.

If a new phase of disruptive cyber operations in Ukraine does come to pass, a unity of effort in threat information sharing and supportive action will become even more critical.

Zhanna L. Malekos Smith is a nonresident senior associate with the Strategic Technologies Program and the Aerospace Security Project at the Center for Strategic and International Studies (CSIS) in Washington, an assistant professor in the Department of Systems Engineering at the U.S. Military Academy at West Point, and an affiliate faculty member with the Modern War Institute. The views expressed here are solely those of the author and not those of CSIS, the Department of Defense, or the U.S. government.