Russian, Chinese, Belarusian hackers increasingly using Ukraine-themed lures in attacks, Google observes

The Threat Analysis Group report sheds light on international efforts to leverage the war in hacking campaigns.
Kyiv, Ukraine
Ukrainian serviceman as seen on the checkpoint in the Independence Square on March 30, 2022 in Kyiv, Ukraine. (Photo by Anastasia Vlasova/Getty Images)

Within the last two weeks, a Russia-based hacking group has targeted several U.S. nongovernmental organizations and think tanks, the military of a Balkans country and a Ukrainian defense contractor, Google reported Wednesday.

The activity, attributed to a group Google calls “Cold River” but others know as “Calisto,” is the first time the Google researchers have observed the group targeting “multiple Eastern European countries, as well as a NATO Centre of Excellence,” Billy Leonard, a Google security engineer, wrote in a blog post for the company’s Threat Analysis Group.

The campaigns used newly-created Gmail accounts and targeted non-Google accounts, so it’s not clear whether the attacks were successful, Leonard notes.

Hackers associated with China, Iran, North Korea and Russia, along with other unattributed groups, are using “various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.”


A request for comment from NATO was not immediately returned.

The report was part of an update on what Leonard says is a “growing number” of government-backed hacking groups using Russia’s war on Ukraine as a lure in phishing and malware campaigns recently. Hackers associated with China, Iran, North Korea and Russia, along with other unattributed groups, are using “various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” Leonard wrote.

Financially-motivated and criminal hackers are also using the war to target victims, such as in once case Google observed where somebody was impersonating military personnel to extort money for rescuing relatives in Ukraine, the report says.

The Russian campaign is just one of many ongoing Russian cyberattacks on Ukraine and other countries both in the run-up to the Feb. 24 invasion and after. Earlier Wednesday, U.S.-based telecommunications firm Viasat released details on a pair of attacks against some of its modems aimed at disrupting Ukrainian communication networks.

China’s role


Less understood is the role of Chinese hacking efforts in connection to Russia’s invasion.

Wednesday’s report calls out a group Google calls “Curious Gorge” that has conducted hacking campaigns against government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia. Google attributes this effort to China’s People’s Liberation Army Strategic Support Force, a division of the Chinese military believed to be involved in the country’s most sensitive cyber-espionage and propaganda missions, CyberScoop reported in 2017.

While the Chinese government has seemingly aligned itself with the Russian position politically, it’s not entirely clear how that applies to China’s prodigious hacking efforts around the world. A Google Threat Analysis Group update on March 7 pointed to a known Chinese hacking group — known variously as “Mustang Panda” or “Temp.Hex” — targeting “European entities” with lures related to the Ukraine invasion. The same day, cybersecurity firm Proofpoint published a detailed breakdown of the Mustang Panda activity.

At the time, Google and Proofpoint’s analyses differed on whether this represented typical hacking activity for the group or a change in targeting and priorities.

Several weeks later, on March 24, Tom Hegel, a senior threat researcher with SentinelOne, published findings identifying a Chinese hacking group known as Scarab as attacking Ukrainian targets with malware designed to give an attacker persistent access to a targeted computer to deliver additional malware.


Wednesday’s update also documented Ghostwriter, a hacking group associated with the Belarusian government, using a “browser in browser” technique to host a credential-stealing web page on top of a compromised website.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts