Ukrainian hospitals are targeted by Kremlin hackers to reach families

Russia continues to conduct massive phishing campaigns in Ukraine. The medical sector is one of the new areas of interest, the Ukrainian cybersecurity services tell us.

Ukraine is the first target of Russian phishing, we learn from a report by Google TAG, the tech giant’s team of cyber experts, published on April 19. So far, no wonder. But by looking more closely at the campaigns, it is possible to analyze the evolution of the methods used by the Kremlin. In a previous report, Google said that in 2022, Russia increased user targeting in Ukraine by 250% compared to 2020.

“All citizens must be constantly on their guard. Russia is conducting massive campaigns to collect as much information as possible,” says Yevheniia Volivnyk, the head of the Ukrainian Center for Alert and Reactions to computer attacks (CERT-UA).

In the first quarter of 2023, 60% of Russian phishing emails were directed against Ukraine. Among these lures, Google notes the high activity of Sandworm and Fancy Bear, two hacker groups linked to Russian intelligence.

  • The first, Sandworm, continues to spoof the services of Telegram – a method that has been used for almost a year – to send text messages asking the target to enter credentials. Typically, victims receive fake alert messages telling them that an unauthorized login is taking place on the account, requiring them to enter credentials to change the password. Naturally, all information will be provided to Kremlin agents. According to Google, the group of hackers is targeting users on popular Ukrainian channels.
  • The second, Fancy Bear, uses security holes in Ukrainian sites to redirect users to phishing pages. We speak of an XSS attack when criminals inject a malicious script into a page, which will then be included in the content received by the victim’s browser. Google has thus spotted trapped sites of the main Ukrainian messaging service, Experts note that the majority of observed phishing domains were created on free services and used for a short period of time, often for a single campaign.

Ukraine’s Communications Protection Service shared an example of a message received to trick users. // Source:

Energy, telecom, and then medical

If Russia failed to break the Ukrainian computer system, it is now mainly seeking to trap its citizens and businesses. Yevheniia Volivnyk notes that Kremlin agents vary in the sectors targeted. “Defence is obviously always targeted, but we saw campaigns first directed massively towards energy, then telecom, and today the insurance and medical sector are the most targeted by phishing”, explains the one that monitors Russian operations on a daily basis.

“The attackers’ methods are standard, but directed at medical workers in particular. The desired objectives could be the taking of information on treated soldiers. There were cases where Russian intelligence was trying to find information on relatives in the occupied territories as early as 2014,” she adds. Disappearances in Crimea and the Donbas regions have been high for more than nine years now.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s