Full Report
Russian hackers aren’t just targeting Ukraine — they also appear to be going after their defense contractors in other countries, new ESET research surmises. The post Fancy Bear campaign sought emails of high-level Ukrainians and their military suppliers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Fancy Bear (APT28 / Sednit)
## Attribution & Identity
* **Identification:** Hacking group linked to Russia’s Main Intelligence Directorate (GRU).
* **Aliases:** APT28, Sednit (ESET's tracking terminology).
## Activity Summary
* **Campaign Name:** Operation Roundpress (Ongoing since at least 2023).
* **Focus:** Targeting email accounts of high-ranking Ukrainian officials and executives at international defense contractors supplying Kyiv.
* **Primary Objective (Wartime):** Collecting political and wartime intelligence, specifically gaining insight into the Ukrainian military’s supply chain.
* **Historical Activities:** Best known for the hack and leak of Democratic National Committee emails (2016). Additionally accused by France of attempted/successful hacks against a dozen French entities since 2021 and attempting to destabilize French elections in 2017.
## Tactics, Techniques & Procedures
* **Delivery Mechanism:** Spearphishing combined with cross-site scripting (XSS) vulnerabilities in webmail software.
* **Lures:** Fake headlines from prominent Ukrainian news outlets (e.g., Kyiv Post) written in Ukrainian, referencing the Russia-Ukraine war.
* **Exploitation:** Leveraging both zero-day and known vulnerabilities in various webmail software products (Roundcube, Horde, MDaemon, Zimbra).
* **Specific Exploitation:** Observed leveraging **CVE-2024-11182** (November 2024 emails). ESET suspects Fancy Bear developed or acquired this zero-day internally.
* **Payload:** Custom JavaScript malware payload delivered via XSS upon opening a malicious email.
* **Capabilities:** Data exfiltration from the victim's email messages, address book, contacts, and log-in history. Able to steal 2FA passwords/secrets via flaws in MDaemon software, allowing access via other applications.
* **Persistence:** Malware is reloaded every time the victim opens the malicious email (lacks sophisticated persistence mechanisms).
* **Credential Theft:** Tricking the browser/password manager into submitting credentials or serving fake login pages after a victim logs out.
* **MITRE ATT&CK (Implied/Observed specific entries):** Exploitation of Software Vulnerability (T1190), Spearphishing Link (T1566.001), Cross-Site Scripting (Relevant for XSS exploitation).
## Targeting
* **Sectors:** Government/State Entities, Defense Contractors, Military Entities.
* **Geography:** Primarily Ukraine, but also Greece, Cameroon, Serbia, Romania, Bulgaria, Ecuador. Evidence of intelligence gathering spanning Latin America, the EU, and Africa globally.
* **Victims (2024 examples):** Officials from regional national governments in Ukraine, Greece, Cameroon, and Serbia; military officials in Ukraine and Ecuador; defense contracting firms in Ukraine, Romania, and Bulgaria. ESET identified at least 17 separate victim organizations in the webmail campaign.
## Tools & Infrastructure
* **Malware Families Used:** Custom JavaScript malware payload.
* **Infrastructure:** Not explicitly detailed with defanged IPs or domains, but utilization of known webmail vulnerabilities implies C2 communication patterns associated with web sessions.
## Implications
* The actor maintains a high operational tempo, focusing heavily on exploiting webmail software vulnerabilities since 2023, indicating a strategic shift towards securing persistent access to sensitive communications.
* The targeting explicitly links to intelligence collection supporting the Russia-Ukraine war effort via supply chain visibility, while also showing a broader GRU mandate for global government/military intelligence gathering.
* The use of a potential zero-day (CVE-2024-11182) underscores their advanced capabilities and willingness to invest in custom offensive tooling.
## Mitigations
* Patching known vulnerabilities in webmail software (Roundcube, Horde, MDaemon, Zimbra) immediately upon availability, as many compromises utilized pre-existing patches.
* Implementing robust email filtering and monitoring to detect spearphishing attempts, especially those mimicking local/Ukrainian news sources.
* Implementing defense-in-depth security controls around email access, particularly Multi-Factor Authentication (MFA), though be aware of malware capable of stealing 2FA secrets.
* Monitoring for anomalous activity related to JavaScript execution within webmail clients.
* Closely tracking and blocking network connections associated with suspected data exfiltration following email interactions.