Belarus may be funding cyberattacks to disrupt refugees fleeing Ukraine

2 Mar 2022

Image: © cendeced/

Cybersecurity company Proofpoint has linked a new phishing campaign targeting European officials to a group based in Belarus.

Cybersecurity researchers have identified what they believe is a new state-sponsored phishing campaign based in Belarus that is targeting European governments in their efforts to manage refugees fleeing from Ukraine.

The state actor is potentially using the compromised email account of a Ukrainian armed forces member to disrupt the logistics involved in the movement of Ukrainian refugees to neighbouring countries such as Poland, Hungary and Slovakia, by delivering a malware known as SunSeed.

Future Human

This is according to US cybersecurity company Proofpoint, which released its findings on the phishing campaign yesterday (1 March), calling it a “weaponisation of migrants and refugees of war through a hybrid information warfare and targeted cyberattack model”.

“This campaign represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies and Ukraine,” Proofpoint researchers said.

Ukraine has been subject to a spate of cyberattacks in recent days, starting just ahead of Russia’s invasion of the country last week.

Proofpoint researchers have tentatively attributed the SunSeed malware-based phishing campaign to a group called Ghostwriter, which is believed to operate out of the eastern European country of Belarus with links to its government.

Ghostwriter is known to have engaged in “a significant volume of disinformation operations” in the past, Proofpoint said, aimed at manipulating European sentiment around the movement of refugees within NATO countries.

The latest phishing attack involved emails that targeted individuals responsible for transportation, finance and budget allocation, and administration of refugee movement from Ukraine into the rest of Europe.

Proofpoint said the potential objective is to gather data on funds, supplies and people in NATO countries. While researchers think that techniques used in the campaign are “not groundbreaking individually”, they can be quite effective if deployed collectively during a “high-tempo conflict”.

Researchers also said that similar attacks against government entities in NATO countries are likely to happen as the invasion of Ukraine continues.

“The possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarusian state techniques. Being aware of this threat and disclosing it publicly are paramount for cultivating awareness among targeted entities,” the researchers added.

Meta also said this week that it has seen increased targeting of people in Ukraine, including Ukrainian military and public figures, by Ghostwriter.

“We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender,” wrote Meta’s Nathaniel Gleicher and David Agranovich in a blog post on Sunday (27 February).

“We’ve taken steps to secure accounts that we believe were targeted by this threat actor.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain is a journalist with Silicon Republic