cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Proofpoint reports new state-sponsored threat exploiting Ukraine crisis

A new phishing attack could be exploiting the Ukraine crisis to target European government officials, Proofpoint has revealed.

user iconReporter
Wed, 02 Mar 2022
Proofpoint reports new state-sponsored threat exploiting Ukraine crisis
expand image

Cyber security company Proofpoint has identified a likely state-sponsored phishing campaign potentially using a compromised Ukrainian armed service member’s email account to target European government personnel involved in assisting refugees fleeing war-torn Ukraine.

The email reportedly included a malicious macro attachment designed to bait recipients into downloading a Lua-based malware, known as SunSeed.

According to Proofpoint, the attack resembles a previous campaign identified in July 2021, suggesting the same malicious actor could be responsible for this latest campaign.


The identification of this latest phishing campaign follows warnings from the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Service of Special Communications and Information Protection of Ukraine.

The agencies have flagged attacks targeting private email accounts of Ukrainian armed service members by UNC1151, monitored by Proofpoint as part of its tracking of threat actor TA445, reportedly based in Belarus.

“While Proofpoint has not definitively attributed this campaign to the threat actor TA445, researchers acknowledge that the timeline, use of compromised sender addresses aligning with Ukrainian government reports, and the victimology of the campaign align with published TA445 tactics to include the targeting and collection around refugee movement in Europe,” Proofpoint noted in a statement.

Proofpoint is expecting proxy actors like TA445 to continue targeting European governments to gather intelligence around the movement of refugees from Ukraine and other issues of importance to the Russian government.

“TA445, which appears to operate out of Belarus, specifically has a history of engaging in a significant volume of disinformation operations intended to manipulate European sentiment around the movement of refugees within NATO countries,” Proofpoint added.

“These controlled narratives may intend to marshal anti-refugee sentiment within European countries and exacerbate tensions between NATO members, decreasing Western support for the Ukrainian entities involved in armed conflict.

“This approach is a known factor within the hybrid warfare model employed by the Russian military and by extension that of Belarus.”

Proofpoint noted that its decision to publish this report aimed to “balance accuracy with responsibility”, disclosing “actionable intelligence” amid a “high-tempo conflict”.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.