Cyber Incident Victim: Defense and cybersecurity organizations in the Baltics
Date:
May 2022
Location:
Russia
Summary
Russian state-sponsored hacking groups, including APT28, Turla, and Coldriver, conducted phishing campaigns targeting defense and cybersecurity organizations in the Baltics and Eastern Europe, aiming to compromise credentials and infiltrate critical infrastructure. Belarusian-backed actors simultaneously attempted to steal credentials from high-risk Ukrainian individuals, though these efforts were mitigated by security services blocking malicious domains and alerting targeted users. The coordinated activities involved multiple threat actors linked to foreign intelligence services focusing on government, military, and NGO entities across the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 4 actors | Available to members | Available to members |
Description
In early May 2022, Google's Threat Analysis Group (TAG) reported ongoing cyber operations by multiple state-sponsored threat actors targeting entities across Eastern Europe, including defense and cybersecurity organizations in the Baltics. Chinese state hackers affiliated with the People's Liberation Army Strategic Support Force (PLA SSF) were observed targeting Russian government agencies and private companies, continuing a pattern of attacks against military and government entities in Russia, Ukraine, Kazakhstan, and Mongolia. Concurrently, Russian-backed advanced persistent threat (APT) groups conducted credential phishing campaigns against defense and cybersecurity organizations. APT28 (linked to Russian military intelligence GRU) and Turla (associated with FSB) were identified as active perpetrators. A separate Russian group tracked as Coldriver (Callisto) used spoofed Gmail accounts to target government and defense officials, NGOs, think tanks, and journalists with phishing emails. Google disrupted these campaigns by identifying and blocking malicious domains through its Safe Browsing service, preventing successful compromises.
Belarusian state-sponsored threat actor Ghostwriter simultaneously attempted credential theft from high-risk individuals in Ukraine via Gmail phishing campaigns, though no account breaches occurred. Google implemented countermeasures by alerting targeted users through its monthly government-backed attacker warnings. These activities occurred against a backdrop of intensified Russian cyber operations against Ukrainian infrastructure, as documented by Microsoft, involving GRU, SVR, and FSB-linked groups. The collective targeting of defense and cybersecurity entities reflected broader regional cyber espionage objectives, with critical infrastructure sectors—including telecommunications, energy, and manufacturing—remaining focal points for Chinese, Iranian, North Korean, and Russian threat actors. Technical interdiction efforts by Google and Microsoft highlighted the operational tempo of these campaigns but did not disclose specific victim organizations or data exfiltration outcomes beyond blocked attempts.