Operational Alert: Russian Intel Smishing Campaign Targeting Messaging Credentials

The Security Service of Ukraine (SSU), in close coordination with the U.S. Federal Bureau of Investigation (FBI), has disclosed a persistent and highly targeted cyber operation orchestrated by Russian intelligence services. This campaign, active throughout 2026, specifically leverages "fake support" text messages (smishing) to compromise the messaging accounts of high-value targets.

The targets include government officials, military personnel, politicians, and activists across Ukraine, Europe, and the United States. Unlike generic malware distribution, this operation focuses on social engineering to bypass traditional perimeter defenses, aiming directly at credential theft for critical messaging platforms. The objective is clear: persistent surveillance and intelligence gathering via compromised communication channels.

Technical Analysis

Threat Overview: This campaign is a textbook example of targeted credential harvesting. The attack vector does not rely on a specific software vulnerability (0-day) or CVE but rather exploits human trust and the urgency of technical support notifications.

Attack Chain:

1. Initial Contact: Targets receive SMS messages appearing to originate from legitimate technical support services for popular messaging applications (e.g., Telegram, Signal, WhatsApp) or mobile service providers.
2. Lure: The messages typically convey urgency—claiming account suspension, security alerts, or the need for immediate identity verification.
3. Credential Harvesting: The SMS contains a link directing the target to a credential harvesting page. These sites are sophisticated typosquats or lookalike domains designed to mimic the legitimate authentication portals of the targeted messaging service.
4. Exfiltration: Upon entry, credentials are captured by the actor, providing immediate access to the target's messaging history and contact lists.

Affected Platforms: While the specific messaging apps were not named in the summary, such campaigns typically target cross-platform messengers accessible via Android, iOS, and desktop environments. The "fake support" narrative is versatile and adaptable to any platform relying on SMS-based 2FA or account recovery.

Exploitation Status: This is an active, confirmed exploitation (in-the-wild) scenario. There is no patch for human psychology, making this a critical awareness and detection challenge for security teams.

Detection & Response

Detecting smishing campaigns requires a defense-in-depth approach that spans network monitoring, endpoint analysis, and user behavior analytics. Since the attack relies on users clicking links from mobile devices or personal endpoints, visibility into proxy logs and DNS traffic is critical.

SIGMA Rules

The following rules focus on detecting the network artifacts of credential harvesting—specifically the access of suspicious lookalike domains and the use of keywords often found in phishing URLs (e.g., "support," "verify," "recover").

---
title: Potential Credential Harvesting Access - Suspicious Support Keywords
id: 9c2f4d1e-6a3b-4f8c-9e1d-2a5b6c7d8e9f
status: experimental
description: Detects access to potential credential harvesting sites containing suspicious support-related keywords in the URL path, often used in fake support smishing campaigns.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.initial_access
  - attack.credential_access
  - attack.t1566.002
logsource:
  category: proxy
  product: any
detection:
  selection_keywords:
    cs-uri-query|contains:
      - 'verify-account'
      - 'support-center'
      - 'recover-account'
      - 'confirm-identity'
      - 'account-locked'
  selection_tlds:
    cs-host|endswith:
      - '.xyz'
      - '.top'
      - '.tk'
      - '.ml'
      - '.ga'
  condition: selection_keywords and selection_tlds
falsepositives:
  - Legitimate access to new support portals on uncommon TLDs (rare)
level: high
---
title: Smishing Link - High Entropy Domain Access
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects access to domains with high entropy (randomized characters) often associated with smishing payload delivery or credential phishing kits.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.initial_access
  - attack.defense_evasion
  - attack.t1566.002
logsource:
  category: proxy
  product: any
detection:
  selection:
    cs-method|contains:
      - 'GET'
      - 'POST'
    cs-uri-query|re: '^[a-zA-Z0-9/_?=&%-]{40,}'  
  condition: selection
falsepositives:
  - Legitimate API calls with long query parameters
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for users accessing non-corporate domains that contain "messaging" or specific app names in the subdomain, a common tactic for lookalike domains used in these campaigns. It also filters for high-risk TLDs.

// Hunt for potential credential harvesting domains accessed via proxy
let HighRiskTLDs = pack_array(".xyz", ".top", ".tk", ".ml", ".ga", ".cf", ".cc", ".pw");
let MessagingKeywords = pack_array("telegram", "signal", "whatsapp", "support", "verify", "account", "login");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (MessagingKeywords)
| extend TLD = tostring(split(RemoteUrl, ".")[-1])
| where TLD in~ (HighRiskTLDs)
| summarize count(), StartTime=min(Timestamp), EndTime=max(Timestamp) by DeviceName, InitiatingProcessAccountName, RemoteUrl
| order by count_ desc

Velociraptor VQL

This VQL artifact hunts the browser history on endpoints (Windows/macOS) for visits to URLs containing keywords associated with the "fake support" narrative described in the SSU report.

-- Hunt for Fake Support / Credential Harvesting URLs in Browser History
SELECT * FROM foreach(
  glob(globs="*/History"),
  {
    SELECT 
      Timestamp,
      URL,
      Title,
      Username
    FROM parse_chrome_history(filename=OSPath)
    WHERE URL =~ 'support' 
       OR URL =~ 'verify' 
       OR URL =~ 'recover' 
       OR URL =~ 'account-locked'
  }
)

Remediation Script (PowerShell)

This script assists in the immediate triage of a potentially compromised workstation by flushing the DNS cache (removing cached resolutions to malicious domains) and auditing recent RDP connections for lateral movement indicators.

# Incident Response Triage - Credential Harvesting Response
# 1. Flush DNS Cache to clear resolution to malicious domains
Write-Host "[+] Flushing DNS Resolver Cache..."
Clear-DnsClientCache

# 2. Check for recent suspicious network connections (listening ports)
Write-Host "[+] Checking for suspicious listening ports..."
Get-NetTCPConnection -State Listen -ErrorAction SilentlyContinue | 
    Where-Object { $_.LocalPort -lt 1024 -or $_.LocalPort -eq 443 -or $_.LocalPort -eq 8080 } | 
    Select-Object LocalPort, OwningProcess, State | 
    Format-Table -AutoSize

# 3. Audit Event Log for recent failed logon attempts (Brute Force/Recon)
Write-Host "[+] Hunting for recent failed logon attempts (Last 24h)..."
$Date = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=$Date} -ErrorAction SilentlyContinue | 
    Select-Object TimeCreated, @{n='IpAddress';e={$_.Properties[19].Value}}, @{n='Account';e={$_.Properties[5].Value}} | 
    Format-Table -AutoSize

Write-Host "[+] Triage Complete. If suspicious IPs or ports are found, isolate the endpoint."

Remediation

As this threat vector is social engineering, remediation is primarily procedural and user-focused, supported by technical controls:

1. User Awareness & Reporting: Immediate briefing for all high-value personnel (HVI) regarding this specific campaign. Users must be instructed to verify "support" messages via official channels (e.g., calling the official number, not the one in the text) before clicking any links.
2. Enable Phishing-Resistant MFA: Mandate FIDO2/WebAuthn hardware keys or passkeys for all messaging and email accounts. SMS-based or TOTP MFA is insufficient against sophisticated phishing where the actor performs a real-time MITM attack.
3. Block High-Risk TLDs: Update secure web gateways (SWG) and DNS filtering services to block newly registered domains and high-risk TLDs (e.g., .xyz, .top, .tk) unless a specific business justification exists.
4. Indicator Integration: If specific IOCs (domains, phone numbers) are shared by the SSU or FBI, immediately ingest them into your SIEM and EDR systems for blocking.
5. Account Audit: For confirmed targets, perform a full audit of messaging account logs (login locations, active sessions) and revoke all active sessions except for known corporate devices.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub