This is post is specifically to raise awareness to our NGO community.  Google’s Threat Analysis Group (TAG) has recently been tracking threat actors that have started attack campaigns against NGOs in Europe.

Google quotes: “As the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers. This post provides details on five different campaigns conducted from April to August 2022 by a threat actor whose activities overlap with a group CERT-UA tracks as UAC-0098. Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine.

UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations.”

Google’s has issued some technical indicators to help organisations identify and block attack attempts associated with this threat.  Ideally, organisations should update their internet gateways and email gateways to block those indicators to minimise the risk of any compromise.  The indicators are:

  • https://dropfiles[.]me/download/af46b89ae667c0d0/
  • http://storage.googleapis[.]com/cor1krp299kh13.appspot[.]com/
  • http://storage.googleapis[.]com/xpd9q3z05awvw4.appspot[.]com/
  • http://84.32.190[.]34/KB2533623.exedonaldtr[.]com

Read more by clicking the button below.