Google TAG disclosed that multiple cybercriminals are actively targeting NATO and Eastern European countries. These attackers are launching phishing and malware attacks against targeted individuals and organizations. Google’s report has covered three specific groups actively involved in the attacks.


The report has highlighted that the Russian-based threat group, identified as COLDRIVER, is carrying out credential phishing attacks
  • These attacks are aimed at the NATO Center of Excellence and Eastern European militaries.
  • Additionally, the hackers targeted a Ukrainian defense contractor, multiple U.S.-based NGOs, and think tanks.

Curious Gorge group

There’s another hacking group identified as Curious Gorge. 
  • It is associated with China's PLA SSF and has been observed taking part in these attacks. 
  • It has targeted government and military organizations in Russia, Ukraine, Mongolia, and Kazakhstan.

Ghostwriter APT group 

The report further describes credential phishing campaigns by the Belarusian threat actor Ghostwriter.
  • In mid-March, the APT group adopted a novel Browser-in-the-Browser (BitB) phishing technique.
  • It hosted credential phishing landing pages on the compromised sites, which were used to steal login credentials from victims.

Additional attacks 

The report further provides details about financially motivated cybercriminals using additional means, such as the use of current affairs to social engineer their users.
  • In one such instance, the attacker was impersonating military officials, attempting to extort money against a rescue operation for relatives in Ukraine.
  • TAG has observed that multiple ransomware brokers are still operating with their usual operational capability.


The recent attacks aimed at the European government and businesses imply the destructive instincts of cybercriminals who could go to any length. Businesses in impacted regions are suggested to stay alert and proactively follow the recommendations by CERT-UA.
Cyware Publisher