Ghostwriter Group Targets Belarusian Politician with Advanced Gmail Phishing
The UNC1151 (Ghostwriter) threat group has been identified conducting a sophisticated phishing campaign against a Belarusian politician, employing techniques to bypass multi-factor authentication.
The notorious UNC1151, also known as Ghostwriter, a threat actor group with strong ties to Belarusian and Russian state interests, has targeted a prominent Belarusian pro-democracy politician with a sophisticated phishing campaign. The operation, which aimed to steal Gmail credentials, highlights the ongoing efforts by state-aligned actors to suppress political opposition.
Ghostwriter first gained notoriety in 2020 for compromising news and media websites to disseminate fake stories. Since then, the group has maintained a high level of activity, focusing spear-phishing campaigns on individuals in Eastern Europe, particularly in Poland and Ukraine. The recent attack on politician Yury Hubarevich fits this established pattern, but researchers have uncovered a broader, more extensive credential-theft operation behind it.
Researchers from Censys revealed that the phishing attempt was part of a larger campaign targeting users in both Belarus and Ukraine. By analyzing certificate and infrastructure data, they traced the operation to a network of phishing domains actively collecting login details. The campaign commenced with a phishing email, written in Russian, warning Hubarevich of suspicious activity on his Google account and urging immediate verification of his login details—a classic social engineering tactic leveraging urgency and fear of account compromise.
The malicious link within the email directed the victim to a compromised Ukrainian website, which then redirected to a convincing fake Google login page. A critical element of this attack was the use of a background websocket connection, enabling attackers to capture typed credentials in real-time. This technique allowed them to bypass multi-factor authentication methods, including SMS-based and one-time password systems, posing a significant risk even to users with enhanced security measures enabled.
Following the fake login, victims were presented with a message in Russian stating, "Account verification has been initiated successfully. You'll receive further information within 24 hours." The attackers leveraged Bunny CDN, a content delivery network, to obscure the true IP addresses of their phishing infrastructure. However, a misconfiguration involving a publicly visible certificate on IP address 45.194.44.44, hosted in Poland by Datagear, provided investigators with a crucial lead.
This operational slip-up allowed researchers to map a larger infrastructure, uncovering several additional phishing domains associated with the same IP address, such as mail-secure-login.digital and check-account.digital. These domains were deliberately crafted with keywords like "mail," "account," "security," and "verification" to appear legitimate. The investigation also identified three other IP addresses with similar web server fingerprints, each hosting more fake login pages.
The comprehensive analysis revealed that the threat group was actively targeting users of at least three popular Ukrainian online portals: I.UA, bigmir)net, and META.UA, with dedicated phishing pages for each. This campaign shares similarities with previously documented activities tracked by CERT Polska and ESET under the name FrostyNeighbor. For individuals in politically sensitive roles, maintaining strong account hygiene and exercising extreme skepticism towards urgent login requests are paramount. Utilizing hardware security keys over SMS-based two-factor authentication offers superior protection against such real-time interception attacks.