Google uncovers Russian phishing campaign targeting Ukrainian news provider

Flag of Russia on a computer binary codes falling from the top and fading away
(Image credit: Getty Images)

Russian hackers have conducted several phishing campaigns targeting users of one of Ukraine’s most popular online news providers.

That's according to Google’s Threat Analysis Group (TAG), which has attributed the attacks to the Russia-backed APT28 gang, also known as FancyBear and Strontium.

The phishing emails had been sent from a large number of compromised non-Google accounts, and included links to newly-created, attacker-controlled Blogspot domains, which redirected targets to credential phishing pages with the following domains:

  • id-unconfirmeduser[.]frge[.]io
  • hatdfg-rhgreh684[.]frge[.]io
  • ua-consumerpanel[.]frge[.]io
  • Consumerspanel[.]frge[.]io

The Blogspot domains have since been taken down, Google announced on Monday. The credential phishing pages are flagged as “dangerous” on the Google Chrome browser, as part of Google’s Safe Browsing service. Launched in 2007, the service identifies unsafe websites across the web and notifies users and website owners of potential harm with an attention-grabbing, red warning message.

Google deceptive site warning

FancyBear’s phishing campaign against is just one of many attempts by Russian and Belarusan threat actors to target Ukrainian organisations.

The TAG team has also been tracking the notorious Belarusan hacking group known as Ghostwriter, which it has observed launching phishing attacks against the Ukrainian and Polish governments.


The best defence against ransomware

How ransomware is evolving and how to defend against it


The tech giant has also recorded repeated DDoS attempts against Ukraine’s Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information. This has prompted Google to expand the eligibility for its free DDoS protection tool known as Project Shield, which sees Google absorb the influx of “bad traffic” and keep the targeted website online.

Google said that “over 150 websites in Ukraine, including many news organisations, are using the service” and encouraged “all eligible organisations to register for Project Shield”.

Eligibility is determined on a rolling basis, with Google accepting Google Account holders that manage or own a website in the news, human rights and political sectors.

Sabina Weston

Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.

Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.