Phishing Campaigns Targeting Defense and Aerospace Sectors Amid Ukraine Conflict

By /

Listen to this Post

A major phishing campaign targeting defense and aerospace organizations linked to the ongoing Ukraine conflict has been uncovered. This cyberattack, which spanned from December 2024 to March 2025, utilized sophisticated spoofed domains and credential-harvesting infrastructure. Its goal was to steal login credentials from organizations supporting Ukraine’s military efforts by deploying fake webmail login pages. A total of 878 spoofed domains were identified across 12 mail servers, with these attacks impacting key defense sectors worldwide.

Phishing Infrastructure and Domain Spoofing Techniques

The attackers used GHOSTnet VPS-hosted domains registered via the Spaceship registrar to create fake domains that closely resembled legitimate organizations. These domains were designed with subtle typos or character modifications, enabling them to impersonate well-known entities. For example, “kroboronprom[.]com” mimicked Ukraine’s state-owned arms manufacturer, Ukroboronprom, while “rheinemetall[.]com” imitated the German defense contractor, Rheinmetall.

To facilitate their attack, the perpetrators utilized Mailu, an open-source mail server platform, to design phishing pages resembling corporate webmail portals. These fake login pages were used to harvest user credentials from unsuspecting victims.

Operational Infrastructure and Attack Patterns

The phishing campaign relied on 12 primary mail exchange (MX) domains, such as “hungry-shark[.]site” and “stupid-buddy[.]mom.” These domains supported a range of spoofed subdomains that targeted entities across 11 countries. The distribution of these domains indicates a clear focus on high-value sectors:

  • Ukraine-based defense: 101 spoofed domains targeting Ukrainian defense organizations.
  • U.S.-based IT: 93 spoofed domains targeting IT firms in the U.S.

– Turkey-based defense: 82 spoofed domains targeting

In addition to domain spoofing, the attackers used impersonation tactics in the sender fields of emails, making them appear as if they came from internal communications. These malicious emails directed victims to fraudulent login pages.

Malware Distribution and Expanded Attack Surface

While the primary goal of the attack was credential theft, the threat actor also deployed a subdomain, “cryptshare.rheinemetall[.]com,” which mimicked the legitimate Cryptshare file-sharing service. This page required password authentication to access files, raising the possibility of malware distribution between January and February 2025.

Additional domains, including “ukrtelecom[.]eu” and “funky-bober.art,” were linked to the phishing activity through WHOIS data and infrastructure patterns. These domains displayed characteristics designed to evade detection, such as:

– Decentralized VPS hosting

– Whimsical domain names (e.g., rainbow-pony[.]buzz)

– Implementation of TLS encryption on phishing pages

Cyber Espionage and Geopolitical Implications

The attack has raised significant concerns regarding cyber espionage linked to the Ukraine conflict. Based on analysis, it is believed that the attackers were collecting intelligence related to the conflict. Key indicators supporting this assessment include:

  • Sector Focus: 73% of the spoofed domains targeted defense and aerospace firms involved in supporting Ukraine.
  • Geopolitical Alignment: There was a clear emphasis on NATO member states, including France, the UK, and Turkey, which have been supplying military aid to Ukraine.
  • TTP Consistency: The infrastructure and tactics used by the attackers resemble patterns typically associated with Russian-aligned Advanced Persistent Threat (APT) groups, although the perpetrators remain unattributed.

This phishing campaign underscores the growing threats to critical supply chains in conflict zones, highlighting the need for robust cybersecurity practices, especially in defense sectors.

Recommended Security Measures

Organizations should take proactive steps to defend against such attacks:

  1. Domain Monitoring: Regularly monitor for typosquatting variants of your organization’s domains.
  2. Multi-Factor Authentication: Implement MFA for all email systems to add an extra layer of security.
  3. Network Traffic Analysis: Monitor traffic for IP ranges associated with GHOSTnet VPS (5.230.xx.xx and 5.231.1.xx) to detect malicious activity.

Indicators of Compromise (IOCs), including full domain lists and MX server IPs, are available through DomainTools’ GitHub repository.

What Undercode Say:

The phishing campaign targeting defense and aerospace sectors amid the Ukraine conflict exemplifies the growing sophistication and geopolitical intent behind cyberattacks. The attackers not only used conventional phishing techniques but also leveraged the psychological weight of the ongoing conflict to create high-value targets.

The use of domain spoofing, combined with the deployment of Mailu-based credential-harvesting pages, showcases a blending of low-cost but highly effective attack methods. These tactics are hard to distinguish from legitimate communications, making them particularly dangerous for organizations that may be unaware of the risks.

Furthermore, the inclusion of malware distribution tactics and the careful selection of high-value domains suggests that the attackers are not only looking to harvest credentials but also to infiltrate and possibly disrupt supply chains critical to military efforts. This underscores the importance of monitoring for domain abuse and conducting regular security audits to identify potential vulnerabilities.

The geopolitical nature of these attacks also raises critical questions about the future of cyber warfare. With state-backed threat actors using cyberattacks as an extension of traditional warfare, organizations in conflict zones or supporting defense efforts need to be especially vigilant. The correlation between sector focus and the military aid provided to Ukraine highlights the strategic use of cyber tools in modern geopolitics.

As we continue to witness an increase in these kinds of operations, the importance of adopting a layered security approach has never been clearer. Combining traditional network security measures with advanced threat detection systems and constant vigilance will be key to mitigating the risks posed by sophisticated cyber adversaries.

Fact Checker Results:

  1. Phishing Infrastructure: The tactics described, including domain spoofing and Mailu-based pages, align with known methods used in APT campaigns targeting defense sectors.
  2. Geopolitical Relevance: The targeting of defense and aerospace sectors supporting Ukraine confirms the geopolitical nature of the attack.
  3. Security Recommendations: The recommended security measures, such as multi-factor authentication and domain monitoring, are standard practices for mitigating phishing threats.

References:

Reported By: https://cyberpress.org/phishing-attack-defense-aerospace/
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: