Group FROZENBARENTS targets energy sector, Ukraine continues to be Russia’s major cyber focus for the year

Hey, Bay Area friends and fellow enthusiasts of healthcare and cybersecurity!

Well, the first quarter of this year was no walk in the park. Google’s Threat Analysis Group, aka the cybersecurity knights in shining armor, have been fighting off campaigns waged by some not-so-friendly parties.

Some tech-savvy groups backed by the Russian government have turned their attention to the tense situation in Ukraine. They’ve launched a number of attacks specific to this area. A particularly enthusiastic bunch going by the codename FROZENBARENTS (nope, not a Frozen sequel I’m afraid) have been incredibly busy. As you might have guessed, they’re tied to the GRU Unit 74455 of the Russian Armed Forces – a collection of cyber troublemakers with a fascination for the energy sector.

In fact, most of their targets end up being Ukrainian, with the country taking a whopping 60% + share of Russian cyber meddling. While they’re at it, this group isn’t shy about switching tactics, either. From credential phishing to malware to some other rather devious methods, there’s a reason we affectionately call them the “multi-tool” of the intelligence world.

Yes, they’re causing havoc, but don’t panic just yet. We’ve seen them at work before. Since 2019, they’ve been using compromised EXIM mail servers globally as part of their network, infiltrating systems and sending out a flood of malicious emails.

FROZENBARENTS has also had their sights set on specific energy players like the Caspian Pipeline Consortium. This grandiose-named group actually controls one of the world’s largest oil pipelines, funneling oil from Kazakhstan to the Black Sea. Throughout the first quarter, FROZENBARENTS led multiple campaigns against energy sector organizations across Europe. They’re renowned for a bit of theatre, even resorting to fake Windows updates to trick their victims.

Our friends at Google also pointed out another group nicknamed FROZENLAKE, haunting the waters of the Ukrainian cyber underworld. They’ve been particularly busy sending out phishing emails and playing around with reflected cross-site scripting (yes, that’s as bad as it sounds) on Ukrainian government websites.

Hang in there, we’re nearly done. A third group popped up on the radar, originating from Belarus. These guys have been relentless in their attacks on webmail providers in Ukraine and the surrounding regions.

And as if that wasn’t enough, a collective from the Internet Research Agency (an organization with a misleadingly innocuous name, I might say) has been busy creating content on Google platforms like YouTube.

Last but not least, there have been other groups showing discernible shifts in their focus, jumping from their regular ransomware game to operations that look suspiciously like intelligence collection.

So, it’s a bit like a chaotic chessboard over there in the cybersecurity world, wouldn’t you say? Everyone’s shifting pieces around, each with their own agenda. Fear not, though, we’re all in this together – with Google and other powerful tech giants on our side, we’re sure to weather the storm.

And remember, friends – as our Bay Area mantra goes, keep surfing, but always stay cyber safe!

by Morgan Phisher | HEAL Security