Russia-Linked Cyber Espionage Group Targets Ukraine Using Starlink and Charity Lures

What happened

A Russia-linked hacking group has launched a cyber espionage campaign targeting Ukrainian organizations using malicious documents disguised as information about Starlink satellite internet terminals and a Ukrainian charity. Researchers attributed the activity to the group Laundry Bear, also tracked as Void Blizzard, which has been active since at least 2024 and previously targeted NATO member states and Ukrainian institutions. The attackers used phishing emails containing weaponized documents designed to deploy spyware once opened, enabling the collection of sensitive information from compromised systems. Researchers said the campaign appears focused on gathering intelligence from organizations connected to Ukraine’s government and critical sectors. 

Who is affected

Organizations in Ukraine, including government bodies and other institutions connected to national infrastructure or international partnerships, are affected as targets of the espionage campaign. 

Why CISOs should care

The campaign highlights continued cyber-espionage activity tied to the Russia-Ukraine conflict, where phishing operations and spyware deployments are used to gather intelligence from government and strategic organizations. 

3 practical actions

1. Monitor for spear-phishing campaigns. Investigate suspicious emails containing documents referencing Starlink or charitable initiatives. 
2. Inspect attachments for spyware activity. Analyze documents that trigger abnormal processes or network connections. 
3. Strengthen phishing awareness training. Ensure staff can identify social-engineering lures involving humanitarian or infrastructure themes.

Explore the latest incidents, tactics, and real-world impacts in our ongoing coverage of cyberattacks.