Fancy Bears Are Not Teddy Bears

13672428094?profile=RESIZE_400xThe notorious Russian cyber-espionage gang known as Fancy Bear, also known as APT28, has increased its attacks against governments and military entities worldwide using new sophisticated cyber tools and technology.   Fancy Bear is perhaps best known in the United States for its hack and leak of Democratic National Committee emails in the lead-up to the 2016 presidential election.  Eleven Western countries have accused the hacking group of targeting defense, transport, and tech firms involved in helping Ukraine.

See:  https://redskyalliance.org/xindustry/russia-s-fancy-bear-growls-again

British Foreign Secretary David Lammy said the UK's National Cyber Security Centre had discovered a sophisticated digital espionage tool used to harvest login credentials from online Microsoft products.  He accused Russia of conducting a "sustained campaign of malicious cyber activity" targeting governments and institutions across Europe and linked the activity to the UK's continued support of Ukraine.  Spies from Russia's military intelligence agency, the GRU, were "running a campaign to destabilize Europe", Lammy added.[1]

New Zealand is the latest to join in international condemnation of cyber-attacks by the Russian government and has imposed sanctions on more than 1,800 entities and individuals under the Russia Sanctions Act 2022, including the Head of the GRU and its cyber warfare units 74455 and 26165, known as Sandworm and Fancy Bear.   Active since 2007/8, this state-sponsored hacking gang has established itself as one of the most persistent and dangerous cyber adversaries, with a documented history of targeting high-value organizations across multiple continents, including the United States, Ukraine, Germany, and France.

Since the beginning of the Russia-Ukraine war, the unit has increasingly focused on collecting and utilizing political and wartime intelligence from the conflict.  Recent intelligence indicates that Fancy Bear has significantly expanded its tactical capabilities, particularly focusing on entities connected to the Ukrainian conflict and Western logistics companies providing military support.  Fancy Bear has been developing its malware and attack methodologies to avoid detection, while maintaining access to critical infrastructure and sensitive government communications.

In a recent report from Cyfirma, analysts focused on the group’s latest campaign hitting Ukrainian government and military suppliers through highly sophisticated spear-phishing operations.  These attacks leverage cross-site scripting vulnerabilities in widely used webmail platforms, including Roundcube, Horde, MDaemon, and Zimbra, allowing the attackers to deploy custom JavaScript malware payloads capable of exfiltrating sensitive data such as email messages, address books, and login credentials.

The group’s recent exploitation of CVE-2023-23397, CVE-2023-38831, and CVE-2023-20085 demonstrates their rapid adaptation to newly discovered vulnerabilities.

Their attack chains often begin with weaponized documents containing malicious macros that downgrade security settings and establish persistent backdoor access through malware families, including HATVIBE and CHERRYSPY.  Web-based email services are one of Fancy Bear's preferred targets.  A typical compromise involves web-based email users receiving an urgent email requesting that they change their passwords to avoid being hacked.  The email will contain a link to a spoof website that is designed to mimic a real webmail interface, users will attempt to login and their credentials will be stolen.  Fancy Bear’s attack work continues to evolve and includes sophisticated anti-analysis techniques and data collection capabilities.

 

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

[1] https://www.cybersecurityintelligence.com/blog/fancy-bears-get-busy-8574.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!