Uncovering Fancy Bear's Covert Espionage on Ukraine's Arms Suppliers
Illicit actors infiltrate arms suppliers supporting Ukraine, initiating potential disruptions in military supplies. - Infiltrators Zero In on Weapons Vendors in Ukraine
Known for their notorious activities, the Russian hacker group Fancy Bear has been waging a stealthy war against arms companies providing weapons to Ukraine. This alarming revelation comes from a report by the Slovak security firm Eset, based in Bratislava. This cyberespionage primarily targets manufacturers of Soviet-era weaponry across Bulgaria, Romania, and Ukraine, who play a pivotal role in Ukraine's defensive resistance against Russia's aggression. Arms factories in Africa and South America have also fallen prey to these cyberattacks.
Labeled as Sednit or APT28, Fancy Bear is believed to be working in conjunction with the Russian intelligence services, employing cyberattacks as a tool for political influence and destabilization. Beyond espionage, they are also involved in targeted disinformation campaigns aimed at Western democracies.
Crafting the perfect trap
Fancy Bear has been employing the infamous spearphishing strategy in their latest operation nicknamed "Operation RoundPress." They carefully craft emails that resemble news alerts from credible sources, such as the Kyiv Post or Bulgarian news portal, News.bg. By tricking high-ranking officials and defense executives into opening the emails within their browsers, the malware is triggered, bypassing spam filters.
Bypassing Two-factor defense mechanisms
Researchers from Eset found evidence of a malware program dubbed "SpyPress.MDAEMON." This malicious software, once embedded into the affected systems, can not only read login credentials and track emails but also bypass two-factor authentication. Two-factor authentication, an enhanced security measure that requires a second form of verification in addition to a password, has been outmaneuvered by Fancy Bear on numerous occasions. They achieve this by gaining long-term access to mailboxes through application passwords.
"Companies often fail to maintain their webmail servers, leaving them vulnerable to attacks like these," explained Eset researcher Matthieu Faou. "Simply viewing an email in the browser can be enough to trigger malware without the recipient actively clicking anything."
Key Insights from the Enrichment Data:
- Fancy Bear, also recognized as APT28 and linked to the Russian military intelligence agency GRU, has been conducting cyberespionage campaign Operation RoundPress since at least 2023. Targets have included Ukrainian governmental entities, defense companies producing Soviet-era weapons in Bulgaria and Romania, and military personnel and officials from various nations supporting Ukraine's arms supply.
- Fancy Bear mainly uses spearphishing emails that mimic legitimate Ukrainian news topics about the ongoing conflict; such emails are designed to lure high-ranking officials and defense executives into opening the malicious messages.
- By exploiting cross-site scripting (XSS) vulnerabilities in common webmail platforms like Roundcube, Horde, MDaemon, and Zimbra, Fancy Bear injects malicious JavaScript code directly into the victim's webmail client within the browser context.
- Once injected, the malicious JavaScript runs in the victim's browser, stealing sensitive data such as login credentials, address book contacts, message history, and in certain cases, two-factor authentication information. The malware is non-persistent, requiring the victim to reopen the malicious email for the attack to continue.
- By injecting malicious JavaScript into the victim’s webmail session, Fancy Bear can capture session tokens and authentication cookies within the browser, effectively bypassing 2FA protections that typically only apply during the login stage. In some cases, the attackers have been successful in exfiltrating 2FA information itself.
- The Russian hacker group Fancy Bear, operating in conjunction with the Russian intelligence services, has targeted EC countries like Bulgaria, Romania, and Ukraine, known for their production of Soviet-era weaponry being supplied to Ukraine, as part of their ongoing cyberespionage.
- Amidst their various political influences and disinformation campaigns, Fancy Bear employs advanced techniques like spearphishing and exploiting vulnerabilities in webmail platforms to bypass two-factor authentication, as demonstrated in their Operation RoundPress.
- In the context of ongoing global conflicts and geopolitical news, the relevance of cybersecurity measures in tech-centric industries like defense and general news media increases significantly, given the evolving threats posed by groups like Fancy Bear.
