Charities and non-governmental organizations (NGOs) providing support in Ukraine are targeted in malware attacks aiming to disrupt their operations and relief efforts seeking to assist those affected by Russia’s war.
Amazon did not name the organizations targeted in these attacks in a blog post published on Friday.
“While we are seeing an increase in activity of malicious state actors, we are also seeing a higher operational tempo by other malicious actors.,” Amazon said.
“We have seen several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption.
“In these particularly egregious cases, malware has been targeted at disrupting medical supplies, food, and clothing relief.”
The company said it’s working with the employees of multiple NGOs, charities, and aid organizations on humanitarian relief in Ukraine, including UNICEF, UNHCR, World Food Program, Red Cross, Polska Akcja Humanitarna, and Save the Children.
Phishing attacks against European refugee helpers
Proofpoint researchers spotted a similar activity, observing spear-phishing attacks targeting European government personnel involved in logistics support for Ukrainian refugees.
Emails sent in the attacks delivered malicious macro attachments that would download a Lua-based malware dubbed SunSeed, used to deliver additional payloads onto compromised devices.
The campaign, tracked as Asylum Ambuscade, targeted only NATO entities using the compromised email account of a Ukrainian armed service member.
Based on the infection chain, it aligns and is likely related to July 2021 phishing attacks linked to the Ghostwriter Belarusian threat group (also known as TA445 or UNC1151).
Facebook and the Computer Emergency Response Team of Ukraine (CERT-UA) also warned of Ghostwriter phishing campaigns against Ukrainian officials and military personnel.
Before Russia’s invasion, the Ukrainian Security Service (SSU) said the country was being hit by a “massive wave of hybrid warfare.”
This deluge of attacks included DDoS attacks against Ukrainian government agencies and state banks, phishing targeting the Ukrainian military, as well as multiple series of destructive malware attacks [1, 2].
Update: Made it clearer that Amazon did not name any of the targeted organizations.