Russian cyberespionage group APT28, affiliated with the Main Directorate of the General Staff of the Russian Armed Forces (GRU), has been conducting phishing attacks aimed at obtaining Ukrainian military personnel's credentials that would give it access to the country’s military situational awareness and command and control systems, Ukraine’s National Cyber Security Coordination Center (NCSCC) has warned.

The phishing campaign involves several attack vectors and is specifically targeting military personnel and units of the Ukrainian Defense Forces. In one instance, the attackers distributed a web page ostensibly containing military operational information regarding the Russian invasion. Once the page is opened, a field for entering credentials is presented to allegedly “confirm access”. The stolen credentials are then sent to an attacker-controlled server.

Another phishing tactic involves a document allegedly containing information on the activity of the ukr[.]net account. Upon clicking on the «Change password» button on the HTML page, a browser-in-the-browser (BitB) attack is launched to capture credentials.

The BitB attack is a phishing technique that simulates a login window with a spoofed domain within a parent browser window to steal credentials.

”In both cases, the credentials are exfiltrated to the actor-controlled server hxxp://202.55.80[.]225:35770, which is an Ubiquiti Edge router. The tactic of using pre-compromised Ubiquiti Edge routers to exfiltrate data has been observed by APT28 in previous phishing campaigns,” the NCSCC said.

APT28 (aka APT-C-20, ATK5, Blue Athena, Fancy Bear, Frozenlake, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, Iron Twilight, ITG05, Pawn Storm, SIG40, Snakemackerel, Strontium, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, and UAC-0028) is a Russian-backed threat actor group believed to have been active since 2007.

The threat actor is primarily focused on political and defense-oriented targets, including government, defense and aerospace contractors, energy utilities, media, research companies, journalists, and information technology sector. Targeted regions include Ukraine, Europe (mostly NATO members), North America, the UAE, Middle East, and Syria.

APT28 uses a wide variety of spear-phishing techniques involving malicious email and credential harvesting using fake websites embedded with malicious links. The group is also known to leverage zero-day exploits, custom malware (Zebrocy, Sofacy, X-Agent, Chopstick, Coreshell, Jhuhugit, Advstoreshell, Drovorub, Skinnyboy), watering hole attacks, and Living-off-the-Land tactics in its attack activity.

Last year, the group was observed compromising government institutions and military entities involved in aircraft infrastructure in Ukraine via security flaws in vulnerable RoundCube webmail servers. The threat actor had also targeted Ukraine’s energy infrastructure facility.

In related news, the Ukrainian Coordination Headquarters for the Treatment of Prisoners of War overseeing the treatment of prisoners of war was hit by a distributed denial-of-service (DDoS) attack over the weekend. The access to its website has been restored, the agency said. It didn’t name the culprit behind the attack but linked the incident to the recent crash of the IL-76 plane in Belgorod Oblast (Russia), which Moscow claims was carrying 65 Ukrainian prisoners of war who were to be swapped. As of January 30, 2024, the Kremlin didn’t provide any evidence to support the claims. Furthermore, it has rejected a request for an international commission to investigate the incident.

“Apparently, the enemy decided that the information, in particular, about the details of the exchange of prisoners of war and the downing of the IL-76 plane carries a threat for them,” the coordination center said.