Ideas. Stories. Community.
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Russia-linked hackers' phishing campaign against Ukraine is disrupted


Cybersecurity experts have uncovered a new Russian-linked hacking campaign targeting vulnerable Ukrainians in debt. NPR cybersecurity correspondent Jenna McLaughlin has the story.

JENNA MCLAUGHLIN, BYLINE: In mid-April, a group of hackers was drawing up a plan. But a team of experts was watching their every move.

MATTHEW PRINCE: And so on April 18, the Cloudforce One team detected a Russian threat actor.

MCLAUGHLIN: This is Matthew Prince, CEO of Cloudflare, an IT company that protects and monitors networks around the world. When hackers with ties to Russia decided to use one of Cloudflare's own tools to write and run code, the company noticed. It started spying back.

PRINCE: And they were preparing to launch a campaign against Ukrainian citizens - targeting them, taking advantage of some news that was going on on the ground in Ukraine.

MCLAUGHLIN: Earlier in January, the Ukrainian government rescinded a wartime emergency provision. That provision prevented Ukrainians in debt from being evicted or having their heat or water turned off. It was the perfect time for the hackers to seize on people's fears.

PRINCE: They're watching the news. They're looking for anything which is topical that people might be worried about.

MCLAUGHLIN: The hackers sent text messages and emails to practically everyone in Ukraine, Prince says, urging them to take action to save their homes. The hackers attached official-looking documents and linked to a web portal that mimicked a well-known Ukrainian digital platform used to pay bills. Instead...

PRINCE: If somebody clicked on one of these malicious messages, then it would infect their computer and give the FlyingYeti Russian group the ability to basically take over anything that is happening on that computer or impersonate anyone that was logging on that computer.

MCLAUGHLIN: Once they have access, they gain a foothold, Prince says, to cause more damage, to foment more chaos. The good news is Cloudflare, with some help from friends across the industry, was able to stop the hackers from launching the malware. They basically did it at least in part by trolling them. Did you catch the name Prince used to label the group? FlyingYeti. The company wants to make fun of them.

PRINCE: And we go so far as even, again, giving them silly names that we hope they will find embarrassing, like FlyingYeti.

MCLAUGHLIN: The Cloudflare team also messed with the hacker's code, slowed them down.

PRINCE: Because if we shut them down, they would just move on to someone else, whereas if we could disrupt their activity, then every minute that they spent wasting time trying to debug what was going on was a minute that they weren't causing harm inside of Ukraine.

MCLAUGHLIN: They stopped the hackers this round, but it's clear, Prince says, Russia isn't backing down. Ukraine and its allies need to stay on guard. Jenna McLaughlin, NPR News. Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Jenna McLaughlin
Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.