Summary:
Elite hackers associated with Russia's military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google's Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE , said the attacks continue (https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html) the "group's 2022 focus on targeting webmail users in Eastern Europe." The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy. is both highly active and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage.

Analyst comments:
Since early February, 2023, FRONZENLAKE been leveraging reflected cross-site scripting (XSS) attacks to target several Ukrainian websites. XSS attacks involve hackers injecting malicious scripts into the code of trusted websites. In the latest campaign, the scripts are designed to redirect victims to phishing domains where the actors can capture victim credentials.

The majority of observed phishing domains were created on free services and used for a short time, often a single campaign. When a user submitted their credentials on the phishing sites, they were sent via HTTP POST request to a remote IP address, which TAG analysis identified as compromised Ubiquiti network devices” stated researchers in a new blog post. According to TAG analysts, FROZENLAKE actors have launched credential phishing attacks similar to this one targeting the Ukrainian defense industry, military, and ukr[.]net webmail users as early December 2022.

Mitigation:
(OWASP (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html))For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web application needs to be protected. Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. Any variable that does not go through this process is a potential weakness. Frameworks make it easy to ensure variables are correctly validated and escaped or sanitised. However, frameworks aren't perfect and security gaps still exist in popular frameworks like React and Angular. Output Encoding and HTML Sanitization help address those gaps.

Source: https://thehackernews.com/2023/04/google-tag-warns-of-russian-hackers.html https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/