Email cybersecurity firm Avanan said it has seen a sudden and significant uptick in Russian-based phishing attacks and credential harvesting over the past few days targeting U.S. and European customers.
Avanan officials told SC Media they began analyzing the 2 million-plus customer email inboxes they protect for signs of increased Russian phishing shortly after the Cybersecurity and Infrastructure Security Agency (CISA) warned on Feb. 16 about an ongoing two-year Russian-led campaign targeting cleared U.S. defense contractors with similar attacks. The sharp increase began on Feb. 27 and is approximately eight times larger than the volume they normally see under baseline conditions.
CEO Gil Freidrich said his company typically processes around 100 million customer emails a day. They usually find anywhere between 30 to 50 phishing attacks for every 100,000 emails processed, and normally only a tiny sliver of that activity (about 1%) are credential harvesting attacks. However, Russian-based credential harvesting attacks have jumped dramatically, from about 50 a day to 400 a day since Feb. 27.
“We’re still learning the attacks, we want to know if new obfuscation methods are being used, if cyber weapons we’ve never seen before are being used, what happens if you fall victim [to these attacks]. Our team is running that in a sandbox environment and we still don’t have results, but the jump was so big that we felt we needed to release something to warn our customers and our audience,” he said.
The activity they’ve seen thus far doesn’t appear to follow the same “spray and pray” strategy normally seen among phishing attacks, and a research blog put out by the company today identified customers in the manufacturing, international shipping and transportation sectors in Europe and the United States as targets. There are also signs of specific organizations being targeted: one unnamed customer, a European-based company owned by a U.S. hedge fund and that has business affiliations in Ukraine, has seen its CEO and entire executive team targeted with such attacks.
Customers in other sectors, like state and local government and higher education, are “generally under constant attack” but haven’t seen a similar increase in targeting over the past week.
The increase in these phishing attacks would coincide with the beginning days of a Russian-led invasion into neighboring Ukraine that has resulted in severe economic sanctions against the country and its economy. For months, that potential scenario spurred alarm from cybersecurity experts about the potential for retaliatory cyberattacks against the West from Moscow, but Avanan is not attributing the attacks to Russian government or confirming that they are related to ongoing tensions.
“We have seen between five to seven clusters [of activity]…there’s no way we can tell if this is government-sponsored or just Russian hackers, but this is exactly the deeper analysis we’re spending time on now,” said Freidrich.
The lures used in these emails do not tend to differ from the kinds normally seen in the phishing realm, such as impersonating CEOs or internal employees sending “urgent” documents or spoofed Microsoft 365 emails asking you to click on a link to keep your account active. The main difference Avanan is seeing in the data is “the magnitude, not the methods” of such attacks.
“I do think or at least suspect we’ll start seeing maybe new methods to bypass Office 365 [protections], said Freidrich. “I wouldn’t be surprised if hackers have kept some of their more sophisticated obfuscation methods for an event like this, and this is really where our analysts are spending their time right now.”