European officials are targeting what appears to be a state-sponsored phishing campaign designed to disrupt their efforts toCybersecurity Proofpoint announced on Wednesday.
According to the company’s researchers, the attackers are probably using a compromised email account of a member of the Ukrainian armed forces to attack officials managing the logistics of refugees fleeing the country. The emails contain a malicious macro attachment that tries to download dangerous malware, which researchers refer to as SunSeed, onto the target’s computer.
The campaign comes as, prompting hundreds of thousands of people to flee and clog Ukrainian border crossings with several counties, including Poland, Hungary, Slovakia and Romania. According to Proofpoint, the campaign may be an attempt to determine where these people, as well as the resources needed to help them, can be further directed.
Although the targeted European officials had different professional backgrounds and responsibilities, the attackers seemed to focus on those with transport responsibilities; financial and budget allocation; administration; and population movement in Europe.
“This campaign may be an attempt to gain intelligence on the logistics surrounding the flow of funds, supplies and people in NATO member states,” the researchers wrote in their report.
While researchers did not attribute the campaign directly to a specific country or cybercriminal group, they noted that it is technically similar to previous activities involving an attacker known as Ghostwriter or TA445, who are believed to have operated outside Belarus.
The attacker was also linked to large disinformation operations designed to manipulate European public opinion about refugees in NATO countries, Proofpoint said.