Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks

In a world where cyber warfare is increasingly becoming a norm, Russian state hackers are making their presence felt. They are executing targeted phishing campaigns across at least nine countries spread over four continents. The emails they send out are disguised as official government business and pose a significant threat to sensitive organizational data and geopolitical intelligence of strategic importance.

The group behind these sophisticated attacks is none other than Fancy Bear, also known by various aliases such as APT28, Forest Blizzard, Frozenlake, Sofacy Group, Strontium, UAC-028, and many more.

IBM X-Force, in its new report, identifies this group as ITG05.

Fancy Bear’s modus operandi involves using convincing government-themed lures and three new variants of custom backdoors. The information it targets is highly specific and of use to the Russian government. The group has used at least 11 unique lures in campaigns targeting organizations in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.

The lures appear to be official documents associated with international governments, covering a broad range of themes such as finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, and defense industrial production. Some of these documents are legitimate and publicly accessible, while others seem to be internal to specific government agencies, raising questions about how Fancy Bear obtained them.

Claire Zaboeva, a threat hunter for IBM X-Force, notes that it is unclear whether ITG05 has successfully compromised the impersonated organizations. However, she adds that it is possible that ITG05 leveraged unauthorized access to collect internal documents.

Claire Zaboeva

The lures used by Fancy Bear are quite specific. For instance, English-language examples include a cybersecurity policy paper from a Georgian NGO and a January itinerary detailing the 2024 Meeting and Exercise Bell Buoy (XBB24) for participants of the US Navy’s Pacific Indian Ocean Shipping Working Group (PACIOSWG).

The group also uses finance-themed lures, such as a Belarussian document with recommendations for creating commercial conditions to facilitate interstate enterprise by 2025, in alignment with a Eurasian Economic Union initiative; an Argentine Ministry of Economy budgetary policy document offering “strategic guidelines” for assisting the president with national economic policy, and more.

When victims on attacker-controlled sites click to view the lure documents, they download a Python backdoor called “Masepie.” This backdoor is capable of establishing persistence in a Windows machine and enabling the downloading and uploading of files and arbitrary command execution.

One of the files Masepie downloads to infected machines is “Oceanmap,” a C#-based tool for command execution via the Internet Message Access Protocol (IMAP). Another payload associated with this campaign is “Steelhook,” a PowerShell script whose job is to exfiltrate data from Google Chrome and Microsoft Edge via a webhook.

Fancy Bear’s immediacy of action is noteworthy. As first described by Ukraine’s Computer Emergency Response Team (CERT-UA), Fancy Bear infections within the first hour of landing on a victim machine download backdoors and conduct reconnaissance and lateral movement via stolen NTLMv2 hashes for relay attacks.

Therefore, potential victims need to act quickly or, better yet, prepare in advance for their infections. They can do so by following IBM’s laundry list of recommendations: monitoring for emails with URLs served by Fancy Bear’s hosting provider, FirstCloudIT, and suspicious IMAP traffic to unknown servers, addressing its favored vulnerabilities — CVE-2024-21413, CVE-2024-21410, CVE-2023-23397, CVE-2023-35636 — and much more.

You may also like:

Related Posts

Leave a Reply