{
	"id": "c2789b8b-c711-46bf-aafe-ea3c3baf2170",
	"created_at": "2026-04-06T00:21:52.430728Z",
	"updated_at": "2026-04-10T03:31:25.845932Z",
	"deleted_at": null,
	"sha1_hash": "388dc71abe446aee4237b31b1c49340a7a4e721e",
	"title": "Ukraine links Belarusian hackers to phishing targeting its military",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 829858,
	"plain_text": "Ukraine links Belarusian hackers to phishing targeting its military\r\nBy Sergiu Gatlan\r\nPublished: 2022-02-25 · Archived: 2026-04-05 19:52:26 UTC\r\nThe Computer Emergency Response Team of Ukraine (CERT-UA) warned today of a spearphishing campaign targeting\r\nprivate email accounts belonging to Ukrainian armed forces personnel.\r\nAccounts compromised in these attacks are then used to send additional phishing messages to contacts in the victims'\r\naddress books.\r\nThe phishing emails are being sent from two domains (i[.]ua-passport[.]space and id[.]bigmir[.]space), the former trying to\r\nimpersonate the i.ua free Internet portal providing email services to Ukrainians since 2008.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Mass phishing emails have recently been observed targeting private 'i.ua' and 'meta.ua' accounts of Ukrainian military\r\npersonnel and related individuals,\" CERT-UA said earlier today.\r\n\"After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers\r\nuse contact details from the victim's address book to send the phishing emails.\"\r\nThe emails ask the targets to click an embedded link to verify their contact information and avoid having their email\r\naccounts permanently suspended.\r\nAttacks linked to Belarusian hacking group\r\nCERT-UA's report attributes this ongoing phishing campaign to the UNC1151 threat group, linked by Mandiant researchers\r\nwith high confidence in November 2021 to the Belarusian government and a hacking operation the company tracked as\r\nGhostwriter.\r\nMandiant also found evidence supporting a link between the UNC1151 operators and the Belarusian military, confirming\r\nCERT-UA's assessment that the attackers are actually military cyberspies and officers of the Belarus Ministry of Defense.\r\n\"The Minsk-based group ‘UNC1151’ is behind these activities. Its members are officers of the Ministry of Defence of the\r\nRepublic of Belarus,\" CERT-UA added.\r\nToday, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) also warned\r\nUkrainian citizens of another active phishing campaign targeting them with malicious documents.\r\n\"The enemy forces aim to gain access to the electronic devices of Ukrainians to gather a large amount of information,\"\r\nSSSCIP said.\r\nA separate alert issued by Slovak internet security firm ESET says cybercriminals are also impersonating humanitarian\r\norganizations in attempts to scam those who would want to donate to organizations focused on helping Ukraine during the\r\nongoing war started by Russia's invasion on Thursday morning.\r\nCyberattacks part of a hybrid warfare campaign\r\nThese developments come on the heels of data-wiping attacks against Ukrainian networks, using the HermeticWiper\r\nmalware and ransomware decoys to destroy data on targets' devices and render them unbootable.\r\nAs Vikram Thakur, Technical Director at Symantec Threat Intelligence, told BleepingComputer, targets that were hit in this\r\nweek's wiper attacks also included finance and government contractors from Latvia and Lithuania.\r\nThis was the second time since the start of the year that Ukrainian organizations have been hit by data wipers after the\r\ndestructive WhisperGate malware was deployed in attacks targeting Ukraine disguised as ransomware in January.\r\nThe February DDoS and malware attacks that hit Ukrainian networks align with the Security Service (SSU) Ukraine saying\r\njust over a week ago that the country is being targeted by a \"massive wave of hybrid warfare.\"\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/"
	],
	"report_names": [
		"ukraine-links-belarusian-hackers-to-phishing-targeting-its-military"
	],
	"threat_actors": [
		{
			"id": "f29188d8-2750-4099-9199-09a516c58314",
			"created_at": "2025-08-07T02:03:25.068489Z",
			"updated_at": "2026-04-10T02:00:03.827361Z",
			"deleted_at": null,
			"main_name": "MOONSCAPE",
			"aliases": [
				"TA445 ",
				"UAC-0051 ",
				"UNC1151 "
			],
			"source_name": "Secureworks:MOONSCAPE",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434912,
	"ts_updated_at": 1775791885,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/388dc71abe446aee4237b31b1c49340a7a4e721e.pdf",
		"text": "https://archive.orkl.eu/388dc71abe446aee4237b31b1c49340a7a4e721e.txt",
		"img": "https://archive.orkl.eu/388dc71abe446aee4237b31b1c49340a7a4e721e.jpg"
	}
}