GhostWriter is a state-sponsored threat group targeting individuals in Poland, Latvia, and Lithuania. The group has now been linked to UNC1151. The campaign by the threat group started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.
APT28 is one of Russia’s longest-running APTs and its operations date back to at least 2007. The group supports Russia in their strategic operations against the U.S, countries of the former Soviet Union, Europe, and now Asia. These attacks mostly involve cyber crimes against the defense and military of targeted countries. To support Russia’s national interests, APT28 compromises the targeted country’s operation, steals their data, and then leaks it to their government.
Going by the aliases Fancy Bear, Pawn Storm, Tsar Team, STRONTIUM, and Sofacy Group, APT28 performs their attacks using a spoofed website and phishing emails containing malicious links.
Recently, APT 28 (allegedly) has attacked Eastern European countries using Empire and Invoke-Obfuscation. The MSHTML Remote Code Execution vulnerability, CVE-2021-40444, is being used by their threat actors.
Other threat actors include Turla, COLDRIVER, and Curious Gorge.