Russian Intelligence Targets Victims Worldwide in RapidFire Cyberattacks

pBreaking cybersecurity news news analysis commentary and other content from around the world with an initial focus on the Middle East Africa ppRussias government is pretending to be other governments in emails with an eye toward stealing strategic intelppMarch 20 2024ppRussian state hackers are performing targeted phishing campaigns in at least nine countries spread across four continents Their emails tout official government business and if successful threaten not just sensitive organizational data but also geopolitical intelligence of strategic importanceppSuch a sophisticated multipronged plot could only be wrought by a group as prolific as Fancy Bear aka APT28 Forest Blizzard Frozenlake Sofacy Group Strontium UAC028 and many more aliases which IBM XForce tracks as ITG05 in a new reportppBesides the convincing governmentthemed lures and three new variants of custom backdoors the campaign stands out most for the information it targets Fancy Bear appears to be aiming for highly specific information of use to the Russian governmentppFancy Bear has utilized at least 11 unique lures in campaigns targeting organizations in Argentina Ukraine Georgia Belarus Kazakhstan Poland Armenia Azerbaijan and the United StatesppThe lures look like official documents associated with international governments covering themes as broad as finance critical infrastructure executive engagements cybersecurity maritime security healthcare and defense industrial productionppSome of these are legitimate publicly accessible documents Others interestingly appear to be internal to specific government agencies raising the question of how Fancy Bear got its hands on them in the first placeppXForce does not have insight into whether ITG05 has successfully compromised the impersonated organizations notes Claire Zaboeva threat hunter for IBM XForce As it is possible ITG05 leveraged unauthorized access to collect internal documents we have notified all imitated parties of the activity prior to publication as a part of our Responsible Disclosure PolicyppAlternatively Fancy BearITGO5 may have merely imitated real files For instance some of the uncovered documents feature noticeable errors like misspelling the names of principal parties in what appear to be official government contracts she saidppAnother important quality of these lures is that they are quite specificppEnglishlanguage examples include a cybersecurity policy paper from a Georgian NGO and a January itinerary detailing the 2024 Meeting and Exercise Bell Buoy XBB24 for participants of the US Navys Pacific Indian Ocean Shipping Working Group PACIOSWGppAnd there are the financethemed lures a Belarussian document with recommendations for creating commercial conditions to facilitate interstate enterprise by 2025 in alignment with a Eurasian Economic Union initiative an Argentine Ministry of Economy budgetary policy document offering strategic guidelines for assisting the president with national economic policy and more along these linesppIt is likely the collection of sensitive information regarding budget concerns and the security posture of global entities is a highpriority target given ITG05s established mission space XForce said in its report on the campaignppArgentina for example recently rejected an invitation to join the BRICS Brazil Russia India China South Africa trade organization so it is possible that ITG05 seeks to attain access that may yield insight into the priorities of the Argentine government XForce saidppBesides specificity and an appearance of legitimacy the attackers use one more psychological trick to ensnare victims presenting them initially with only a blurred version of the document As in the image below recipients can see just enough detail to make out that these documents appear official and important but not enough to avoid having to click on themppSample lure document Source IBMppWhen victims on attackercontrolled sites click to view the lure documents they download a Python backdoor called Masepie First discovered in December its capable of establishing persistence in a Windows machine and enabling the downloading and uploading of files and arbitrary command executionppOne of the files Masepie downloads to infected machines is Oceanmap a Cbased tool for command execution via the Internet Message Access Protocol IMAP Oceanmaps original variant not the one used here had informationstealing functionality which has since been excised and transferred to Steelhook the other Masepiedownloaded payload associated with this campaignppSteelhook is a PowerShell script whose job is to exfiltrate data from Google Chrome and Microsoft Edge via a webhookppMore notable than its malware is Fancy Bears immediacy of action As first described by Ukraines Computer Emergency Response Team CERTUA Fancy Bear infections within the first hour of landing on a victim machine download backdoors and conduct reconnaissance and lateral movement via stolen NTLMv2 hashes for relay attacksppTherefore potential victims need to act quickly or better yet prepare in advance for their infections They can do so by following IBMs laundry list of recommendations monitoring for emails with URLs served by Fancy Bears hosting provider FirstCloudIT and suspicious IMAP traffic to unknown servers addressing its favored vulnerabilities such as CVE202421413 CVE202421410 CVE202323397 CVE202335636 and much moreppITG05 will continue to leverage attacks against world governments and their political apparatus to provide Russia with advanced insight into emergent policy decisions the researchers concludedppNate Nelson Contributing WriterppppNate Nelson is a freelance writer based in New York City Formerly a reporter at Threatpost he contributes to a number of cybersecurity blogs and podcasts He writes Malicious Life an awardwinning Top 20 tech podcast on Apple and Spotify and hosts every other episode featuring interviews with leading voices in security He also cohosts The Industrial Security Podcast the most popular show in its fieldppYou May Also LikeppEmpowering Developers Automating Security The Future of AppSecppBlack Hat USA Aug 38 The Premier Technical Cybersecurity Conference Learn MoreppBlack Hat Europe December 912 Learn MoreppSecTor Canadas IT Security Conference Oct 2224 Learn Morepp2024 InformationWeek US IT Salary ReportppElastic named a Leader in The Forrester Wave Security Analytics Platforms Q4 2022ppEMA AI at your fingertips How Elastic AI Assistant simplifies cybersecurityppIndustrial Networks in the Age of DigitalizationppZeroTrust Adoption Driven by Data ProtectionppA Year in Review of ZeroDays Exploited IntheWild in 2023ppLeveling Up CyberThreat Intelligence Maturity for More Value and Better InsightsppESG EBook Taking a Holistic Approach to Securing CloudNative Application DevelopmentppCisco Panoptica for Simplified CloudNative Application SecurityppThe Future of Cloud Security Attack Paths Graphbased TechnologyppBlack Hat USA Aug 38 The Premier Technical Cybersecurity Conference Learn MoreppBlack Hat Europe December 912 Learn MoreppSecTor Canadas IT Security Conference Oct 2224 Learn MoreppCopyright 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place London SW1P 1WGp