Colin Thierry
Published on: March 1, 2022

Meta said on Feb. 27 that it took down accounts used by a Belarusian-linked hacking group (UNC1151 or Ghostwriter) to target Ukrainian officials and military personnel on Facebook.

In November, Mandiant security researchers linked the UNC1151 threat group to the Belarusian government, along with a hacking operation the company tracks as Ghostwriter.

Facebook also blocked multiple phishing domains used by the threat actors to try and breach the accounts of Ukrainian users.

“We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender,” said Meta’s Head of Security Policy Nathaniel Gleicher and Threat Disruption Director David Agranovich.

“We also blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.”

Accounts believed to be targeted in this campaign were secured by Facebook’s security team, and the users were also alerted of the hacking attempts.

Facebook also took down a small network of a few dozen Facebook and Instagram Pages and Groups operating from Russia and Ukraine targeting Ukrainians with fake accounts across multiple social media platforms, including Facebook, Instagram, Twitter, YouTube, Telegram, and more.

Additionally, this operation was behind a small number of sites that were posing as independent news sites and publishing claims about Ukraine being betrayed by the West and “being a failed state.”

Meta’s report confirms a warning issued by the Computer Emergency Response Team of Ukraine (CERT-UA) on Friday in regard to spearphishing attacks targeting the private email accounts of the Ukrainian military.

The email accounts compromised in these attacks were used to target the victims’ contacts with similar phishing messages threatening to permanently disable their accounts unless they verified their contact information.

These attacks follow data-wiping attacks on Feb. 23 against Ukrainian networks with HermeticWiper malware and, in some cases, Golang-based ransomware decoys. This was the second data wiper used against Ukrainian networks since the beginning of 2022. Microsoft disclosed in January a destructive data-wiping malware called WhisperGate that was also disguised as malware and used in attacks against Ukrainian organizations.

The malware attacks on Feb. 23 occurred together with DDoS attacks against Ukrainian government agencies and state-owned banks, similar to the attack deployed on Feb. 16, which impacted Ukrainian government websites and banks.