They provided some domains, but not all of them are taken. For example, signal-protect[.]host is available, kropyva[.]site is available, signal-confirm[.]site is registered in Ukraine. Some of them are registered in Russia.
Never trust a country at war—any side. Party A blames B, Party B blames A, but both have their own agenda.
The WHOIS is usually fake made up data so don't know why you are using that to claim it's registered in Ukraine. Russia is also known to use stolen credentials, SIM cards etc. from their neighbouring countries, including Ukraine, for things like this.
Then why should I trust the article at all? If WHOIS data is fake and stolen credentials are common (which I don't disagree with), I could register a domain, put your name on it, and make it look like you're behind the phishing. Would that make it true? After all, in war, deception is a legitimate tactic.
I believe you are making a mistake by thinking that since a malicious actor's domain is registered in Ukraine, it automatically must be doing something in the interests of Ukraine, or at least be known to its officials.
Lots of Russian state actors have no problems working from within Ukraine, alas. Add to this purely chaotic criminal actors who will go with the highest bidder, territories temporarily controlled by Russians that have people shuttle to Ukraine and back daily, and it becomes complicated very quickly.
Fair point. Just because a domain is registered in Ukraine doesn't mean it's acting in Ukraine's interests. But that works both ways. If Russian actors can operate from Ukraine, then Ukrainian actors (or others) can also operate from Russia, or at least make it look that way. Cyber attacks originating from Ukraine and targeting Russia aren't uncommon either, which only adds to the complexity of attribution.
The issue isn't just attribution but also affiliation. When similar attacks come from Ukraine targeting Russia, Google stays quiet. I understand that Russia invaded Ukraine, not the other way around, but given the complexity of the conflict, aligning with one side in cyber warfare reporting is a questionable move. At the end of the day, attacks will come from both sides - it's a war, after all.
Edit: when I say 'questionable move', I'm specifically referring to Google. It's unclear what they were trying to achieve with this article, is it a political statement or just a marketing piece showcasing how good GTIG is? Or both?
Ukrainian military are moving from Telegram, which presumably still has some ties to Russia despite the claims. And this is yet another phishing campaign in Ukrainian language that makes use of Ukrainian-registered domains to host fake Signal group invites to make Ukrainian military join and link their devices to an adversary-controlled machine. Who might be behind that attack? Hmm, let me think... I don't know! Probably Ukrainians themselves. Or it might be the US. Might as well be the Martians. We will never know the real truth, after all nobody is to be trusted during the war!
Stop the tiresome FUD please. This war is surprisingly straightforward by the standards of the last century, it's literally out of some decades-old textbook. Let's not drag this discussion here again. If you have specific issues with Google's attribution here, please state them, HN is pretty aware that attribution can be shaky. My only gripe with the article is the clickbait title: nobody says that someone is "targeting e-mail" about e-mail phishing.
Never trust a country at war—any side. Party A blames B, Party B blames A, but both have their own agenda.