Google LLC on Tuesday shared new details about a series of Russian state-sponsored hacking campaigns targeting Ukraine.

The hacking campaigns were detected by the search giant’s Threat Analysis Group. Billy Leonard, a security engineer with the Threat Analysis Group, detailed the cyberattacks in a blog post. 

Google researchers have identified a hacking campaign in which Turla, a threat actor associated with Russia’s Federal Security Service, used malicious Android apps to target users. The apps purported to be designed for the purpose of launching denial of service attacks against a set of Russian websites. According to Google, download links to the apps were disseminated via messaging services. 

“This is the first known instance of Turla distributing Android-related malware,” Leonard detailed. “We believe there was no major impact on Android users and that the number of installs was miniscule.”

Google has also detected cyberattacks carried out by APT28 and Sandworm, two threat groups associated with Russian intelligence services. The cyberattacks used a Windows vulnerability known as Follina that was discovered earlier this year. The vulnerability, which has since been patched, enables hackers to breach affected Windows machines using malicious Office documents.

One of the Follina-based hacking campaigns targeted media organizations in Ukraine. “The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine,” Leonard noted. 

Google has also spotted three other hacking campaigns as part of its recent cybersecurity research efforts. Each campaign is run by a different threat actor. 

Google discovered that Russia-based hacking group COLDRIVER is using phishing emails to target government and defense officials, politicians, non-government organizations, think tanks and journalists. Google also determined that Ghostwriter, a hacking group with ties to Belarus, is targeting the email and social media accounts of users in Poland.

Additionally, the search giant’s cybersecurity experts have observed an increase in the number of financially motivated threat actors targeting Ukraine. One such threat actor recently ran a hacking campaign that used the Follina vulnerability to distribute malicious files.

“We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor,” Leonard wrote.

The work of the Threat Analysis Group, the Google unit that discovered the hacking campaigns detailed this week, is part of a broader effort by the search giant to make the web more secure. Google also runs an initiative called Google Safe Browsing that focuses on blocking malicious websites. The initiative helps block malicious websites across Android, Chrome and multiple third-party browsers, as well as several other software platforms. 

Image: Unsplash