May 31, 2024 at 02:38AM
Cloudflare’s threat intel team thwarted a month-long phishing and espionage attack targeting Ukraine, attributed to Russia-aligned group FlyingYeti. The attack targeted financially strained citizens after a government moratorium on evictions and utility disconnections ended. Cloudforce One stopped the threat, but the target base might have been vast. FlyingYeti intended to capitalize on the Ukrainian government’s rental payment moratorium. The attackers created a spoofed version of a legitimate Ukrainian communal housing portal to deliver a malware-laden RAR archive. After identifying the attack, Cloudflare dismantled the phishing site and GitHub project, disrupting the operation and forcing the attackers to adapt multiple times.
The meeting notes outline a cyber espionage and phishing attack targeting Ukraine, attributed to a Russian-aligned group called FlyingYeti. The attack was aimed at financially strained citizens benefiting from a government moratorium on evictions and utility disconnections for unpaid debt. The phishing expedition leveraged the impersonation of the Komunalka payment platform for the entire Kyiv region and employed various targeting techniques, including selective high-value targeting and a broader approach involving all residents of Kyiv.
Cloudflare’s security team, named Cloudforce One, successfully thwarted the attack by spotting the preparations in mid-April and monitored the threat until mid-May. FlyingYeti intended to exploit increased financial stress on Ukrainian citizens following the lifting of the government’s rental payment moratorium in January. They established a phishing site on GitHub and utilized a spoofed version of the legitimate Kyiv Komunalka communal housing portal to distribute a malware-laden RAR archive.
The attackers initially used Cloudflare’s serverless functions platform to fetch the RAR file from GitHub, prompting Cloudflare to intervene and halt the attack. Subsequently, FlyingYeti switched to hosting the RAR archive on other platforms, but Cloudforce One’s anti-phishing efforts extended the time required for the fraudulent operation and forced the criminals to adapt their tactics multiple times, ultimately leading to success against the Kremlin-linked actors.
In response to these actions, GitHub removed the RAR file, phishing site, and the entire GitHub project, suspending the account used to host the malware. Cloudforce One also observed that FlyingYeti did not upload the malicious RAR file to alternative file hosting sites at the time of publication.
Overall, Cloudforce One effectively disrupted the operation and forced FlyingYeti to adapt, resulting in prolonged efforts and ultimately achieving success against the attackers.