Firefighters try to extinguish a fire after a chemical warehouse was hit by Russian shelling on the eastern frontline near Kalynivka village on March 8, 2022, in Kyiv, Ukraine. (Photo by Chris McGrath/Getty Images)

Google’s Threat Analysis Group (TAG) has observed activity from nation-state threat actors over the last two weeks as the Russian invasion of Ukraine causes a refugee crisis on the European continent.

TAG’s Shane Huntley said in a blog post Monday that Google has issued hundreds of warnings over the last year to Ukrainian users letting them know they were targeted by government-backed hacking, largely coming from Russia.

Recently, threat groups such as FancyBear and Ghostwriter have been observed engaging in cyber espionage and phishing campaigns, Huntley wrote.

FancyBear, aka APT28, has conducted several large credential phishing campaigns targeting Ukrainian users and a media company. In recent campaigns, Huntley wrote that attackers used Blogspot domains, which have since been removed, as an initial landing page that redirected targets to credential phishing pages. FancyBear is attributed to the GRU, Russia’s intelligence agency.

Belarusian threat actor Ghostwriter has been conducting credential phishing campaigns in the last week against Polish and Ukrainian government and military organizations, according to Huntley. 

And from Southeast Asia, China-based threat actor Mustang Panda or Temp.Hex is targeting European entities with lures related to the Ukrainian crisis, using malicious attachments with file names like “Situation at the EU borders with Ukraine.zip.” 

Huntley also reported that DDoS attacks targeting government sites are still occurring and over 150 Ukrainian sites are now being protected by its Project Shield, which allows Google to absorb bad traffic in a DDoS attack to allow targeted sites to continue to operate.