Russia’s ‘Fancy Bear’ hackers targeted Ukrainian gov’t, military orgs

Hackers with an infamous Russian military cyber group have targeted the Ukrainian government and a company involved in military aviation since Moscow’s invasion of its neighbor began, Ukraine's cyber agency reported Tuesday.

Ukraine’s computer emergency response team (CERT-UA) and researchers from Recorded Future’s Insikt Group attributed the campaign to APT28 — also known as Fancy Bear and BlueDelta — which multiple Western governments believe is run within the the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

The Record is an editorially independent unit of Recorded Future.

APT28 is responsible for the attack on the U.S. Democratic National Committee during the 2016 elections and the breach of the World Anti-Doping Agency.

The new campaign targeted the email inboxes of a regional prosecutor's office, an undisclosed Ukrainian executive authority, other government entities and an organization involved in military aircraft infrastructure upgrade and refurbishment.

The spearphishing campaign used news about Russia’s invasion of Ukraine to coax victims into opening malicious emails. It was “likely intended to enable military intelligence-gathering to support Russia’s invasion of Ukraine,” according to Insikt researchers.

Once opened, devices were immediately compromised without the need for victims to engage with the attachments added to the emails. The cyberattacks exploit three vulnerabilities in Roundcube’s Webmail service.

Researchers noted that the email campaign has been operational since at least November 2021.

The phishing emails contain malicious scripts that “redirect a victim’s future incoming emails to an actor-controlled email address” and allow the hackers to spy on the victim’s inbox. The hackers can also exfiltrate data from the inbox, including a victim’s address book and more.

Tom Kellermann, a former Obama administration adviser on cybersecurity, said “APT28 has been hunting in Ukrainian cyberspace since 2013.”

“This intrusion is significant, and I am concerned that they might escalate and use wipers to leverage systemic destructive attacks,” he said.

Insikt Group said the APT28 hackers have especially shown a long-standing interest in gathering intelligence on government and military organizations in Ukraine and across Europe.

“The most recent activity very likely represents a continued focus on these entities and specifically those within Ukraine,” Insikt Group said.

“We assess that BlueDelta [APT28] activity is likely intended to enable military intelligence-gathering to support Russia's invasion of Ukraine and believe that BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts.”

Correction: a previous version of this article included details provided by CERT-UA from an unrelated incident. They have been removed.