top of page

Security Brief: CICYBER Week of April 3, 2022

April 3 - 6, 2022 | Issue 2

Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team

Manja Vitasovic, Editor; Jennifer Loy, Chief of Staff

Phishing Attack[1]

Date: April 4, 2022

Location: Global

Parties involved: Nicaragua; Venezuela; Israel; Saudi Arabia; Pakistan; Russia; Ukraine; energy, financial and governmental sectors; El Machete; Lyceum; SideWinner; advanced persistent threat (APT) groups

The event: El Machete, Lyceum, and SideWinner APT groups[2] launched spear-phishing campaigns[3] targeting the energy, financial and governmental sectors of Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan. The APT groups used the cyberattacks between Russia and Ukraine for cover. El Machete used a trojan[4] to collect keystroke patterns from the victim’s networks to steal their usernames and passwords. Lyceum sent emails containing embedded malware attached to fake Russia-Ukraine conflict-related news links. SideWinner used phishing emails with malware embedded in the attachments.[5]

Analysis & Implications:

  • Other APT groups will very likely launch malware attacks targeting a countries’ Critical Information Infrastructure (CII), like the energy or cyberinfrastructure, using the Russia-Ukraine conflict for cover. They will likely use phishing emails with embedded malware to enter the system, likely allowing them to control and shut down the electric grid. A power outage would very likely cause demonstrations and government distrust due to their inability to provide heat and electricity.

  • If El Machete’s strategy is successful, other APTs will likely use their trojan in cyberattacks and spear-phishing campaigns. Threat actors targeting the governmental sectors could very likely use El Machete’s trojan to harvest the network credentials to collect sensitive data. Data theft of governmental sectors, like data on military objectives, could very likely threaten counties' defense systems.

Date: April 4, 2022

Location: Ukraine

Parties involved: United Kingdom; UK National Cyber Security Centre (NCSC); China; Chinese President Xi Jinping; Chinese state-sponsored groups; Ukraine; Ukrainian Secret Service; Ministry of Defense of Ukraine; Russia; Russian President Vladimir Putin; The Times; NATO; NATO member states

The event: The UK NCSC is investigating alleged Chinese state-sponsored groups’ hacking attacks to gather information on over 600 Ukrainian websites before the Russian invasion, like the Ministry of Defense of Ukraine website. They started the investigation based on the Ukrainian Secret Service intelligence memos published by The Times. President Xi Jinping and President Putin issued a joint statement in early February 2022, stating their opposition to further NATO expansion and confirming their alliance.[6]

Analysis & Implications:

  • If the UK NCSC confirms that the Chinese data collection hacking campaign on Ukrainian government websites was successful, Chinese state-sponsored groups have very likely collected intelligence on Ukrainian defense systems. China likely provided the Russian government with information on the Ukrainian defense systems and its vulnerabilities. The intelligence will very likely enhance Russian cyberattacks on the Ukrainian defense systems in the invasion to weaken Ukrainian cyberinfrastructure.

  • If the Chinese hacking allegations are confirmed, China-NATO tensions will very likely increase. NATO member states will likely impose sanctions on China, like trade restrictions, likely to prevent further Chinese involvement in the Russia-Ukraine conflict. Sanctions could very likely heighten hostilities between NATO and China, likely resulting in China implementing counter-sanctions on NATO member states.

________________________________________________________________________ The Counterterrorism Group (CTG)

[2] “An APT is a tactic that categorizes hacker groups based on the cyberattack that uses stealth to enter a network and steal sensitive information.” What is an advanced persistent threat (APT)?, CrowdStrike, April 2021,

[3] “Threat actors conduct spear-phishing campaigns to steal sensitive information by sending emails to targets containing embedded malware in attached documents or links.” Spear phishing, Trend Micro,

[4] “A trojan is malicious software that takes control of the target’s computer allowing the threat actor to remotely control the system and steal data from the network.” What is a Trojan? Is it a virus or is it malware?, Norton, July 2020,

[5] Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware, The Hacker News, April 2022,

[6] China accused of cyber-attacks on Ukraine before Russian invasion, The Guardian, April 2022,



bottom of page