Google says Russian hackers targeted NATO and eastern European militaries

31 Mar 2022

NATO monument in Brussels. Image: Image: © misu/

Google said there is a growing number of threat actors using the war as a lure in phishing and malware campaigns, but the success rate of these campaigns is unknown.

Russian hackers recently targeted NATO and the militaries of “multiple eastern European countries”, according to Google’s Threat Analysis Group (TAG).

The Google security research unit said the Russia-based threat actor known as Coldriver has previously launched credential phishing campaigns targeting several US-based NGOs, the military of a Balkans country and a Ukraine-based defence contractor.

However, for the first time, it found that the threat actor – sometimes referred to as Calisto – has launched campaigns targeting a NATO Centre of Excellence and a number of eastern European militaries.

“These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown,” TAG said in a blog post yesterday (30 March). “We have not observed any Gmail accounts successfully compromised during these campaigns.”

NATO’s Centres of Excellence are international military organisations that train and educate leaders and specialists from NATO members and partner countries. They cover a wide variety of areas such as civil-military operations, cyber defence, military medicine and energy security.

NATO says it does not directly fund these centres “nor are they part of the NATO command structure”. Google did not specify which Centre of Excellence was targeted by Coldriver.

Last month, a NATO official said that a cyberattack on one of its member states could trigger Article 5, its collective defence clause.

“We will not speculate on how serious a cyberattack would have to be in order to trigger a collective response,” the official told Reuters. “Any response could include diplomatic and economic sanctions, cyber measures, or even conventional forces, depending on the nature of the attack.”

Earlier this month, US president Joe Biden warned companies operating in the country to bolster their cybersecurity efforts as “evolving intelligence” suggested that Russia is planning cyberattacks on the US.

Ukraine phishing scams

Google’s TAG said it has observed a growing number of threat actors using the war in Ukraine as a lure in phishing and malware campaigns.

Researchers at internet security company Cyren also said there has been a huge increase in crypto scams taking advantage of the conflict through the use of fake donation websites.

Ukraine has received more than $70m in crypto donations since the invasion of the country began, as it turned to cryptocurrency and NFTs to fund its defence against Russia.

However, this had created a surge in scam emails with subject lines such as ‘Help Ukraine’. When people donate to these fake websites and groups, the money goes straight to the scammer.

Cyren said it uncovered more than 100,000 emails like this a day from countries around the world.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic