Events 0
En
Ua
Events 0
Search result:
UNC1151 Phishing Campaign: Infrastructure Analysis by Censys- image 1

UNC1151 Phishing Campaign: Infrastructure Analysis by Censys

The phishing email sent to Belarusian politician Yuri Gubarevich, claiming suspicious activity in Gmail, turned out to be just the tip of a massive cyber operation. Researcher Martin Grutten from Censys discovered that the attack was backed by the infrastructure of UNC1151 (also known as Ghostwriter or FrostyNeighbor). Using digital certificate tracking, analysts were able to trace and de-anonymize the cybercriminals’ servers that were stealing user credentials from Belarus and Ukraine.

UNC1151 Phishing Campaign: Infrastructure Analysis by Censys - image 1
MECHANICS OF THE ATTACK

Authentication Bypass and IP Address Concealment

In this campaign, cybercriminals directed victims to compromised websites and then to a fake Google login page. The main technical feature of the attack was the use of the WebSocket protocol to intercept entered data in real-time. This allowed operators to automatically bypass multi-factor authentication (MFA) based on SMS or one-time passwords (OTP). To mask their activities, the group used legitimate content delivery networks, including Bunny CDN and Cloudflare, attempting to hide the true IP addresses of the command servers.

CENSYS CYBER INTELLIGENCE

De-anonymization through Digital Certificates

Despite efforts to mask themselves with CDN, the cybercriminals made a critical error at the infrastructure level. Experts from Censys discovered that the digital certificate for the spoofing phishing domain was at one point located on the direct IP address 45.194.44.44. This address is physically located in Poland and belongs to the provider Datagear. This revelation was as if the mask was removed: by identifying the true IP address, researchers were able to find other digital certificates used within this operation. Notably, additional phishing resource certificates were generated on the found node, confirming the systematic nature of the group’s actions.

TECHNICAL INDICATORS

Unique Server Errors and Detection of Hidden Nodes

A detailed investigation of the disclosed IP address revealed open ports 3001 and 3002 with specific settings. An HTTP request to port 3002 returned a 404 error with a unique text message, indicating exclusive functionality for WebSocket. This structural indicator was found to be an extremely rare phenomenon in the global network. Searches in the Censys databases by the hash of this response body revealed three more IP addresses worldwide, all belonging to the same campaign. Each of these servers was used to host digital certificates with similar naming patterns, forming a centralized network for data collection.

SCOPE OF THE OPERATION

Impersonation of Ukrainian National Web Portals

The investigation of the revealed infrastructure confirmed the targeted nature of attacks against specific regions. Besides the initial attack on email services, the group massively generated certificates for creating fake copies of popular Ukrainian web portals. On one of the identified servers, analysts recorded digital certificates that mimicked mail services I.UA and bigmir)net. Through targeted queries to the infrastructure, an active phishing page was also identified that mimicked the META.UA portal. The combination of this data indicates that the UNC1151 group serially produces fake tools to compromise legitimate European services.

The analysis of the phishing incident proves that modern cybercriminals use complex architectures to scale their attacks and bypass multi-factor authentication. Transitioning from reactive blocking to proactive intelligence creates conditions for rapidly detecting disguised infrastructure arrays. Company iIT Distribution, as a Value Added Distributor, provides expert support in deploying advanced information security solutions, including threat intelligence tools and attack surface management. The iITD team supports projects at every stage, helping partners protect critical credentials and reduce the risks of intelligent cyberattacks.

NEWS

Current news on your topic

All news
All news