Юрий Губаревич. Фото: ОПК
Belarusian politician Yury Hubarevich, coordinator of the Personnel Reserve initiative, head of the For Freedom movement and a member of the Coordination Council of Belarus, became the target of a phishing attack. The incident was investigated by Resident.ngo, an organisation that provides digital security services to NGOs, media outlets and activists in Belarus, Ukraine, Moldova and other Eastern European countries.
According to the researchers, Google Threat Intelligence linked the attack infrastructure to UNC1151, an espionage group associated with Belarus and connected to Ghostwriter operations.
The incident occurred on May 29. Hubarevich received an email in Russian disguised as a Google notification about suspicious activity on his account. The message claimed that the account would be deleted within 24 hours unless the user completed a verification procedure. The politician forwarded the email to cybersecurity specialists.
The analysis found that the link in the email first directed users to a compromised third-party website before redirecting them to a fake Google login page. The phishing site relayed information entered by the victim to the attackers in real time, including passwords and one-time two-factor authentication codes. This method allows attackers to gain immediate access to a victim’s genuine account.
The report notes that the email was sent from a legitimate Gmail account and successfully passed standard email authentication checks. The sender’s name visually resembled “Account Support” but contained Cyrillic characters that looked similar to Latin letters.
Experts emphasise that such attacks can bypass protection based on SMS codes and authenticator applications because authentication codes are intercepted in real time. Specialists describe FIDO2 hardware security keys and passkey technology as the most effective protection against such schemes.