Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks


Russias government is pretending to be other governments in emails, with an eye toward stealing strategic intel.



Russian state hackers are performing targeted phishing campaigns in at least nine countries spread across four continents. Their emails tout official government business and, if successful, threaten not just sensitive organizational data but also geopolitical intelligence of strategic importance.
Such a sophisticated, multipronged plot could only be wrought by a group as prolific as
Fancy Bear
(aka APT28, Forest Blizzard, Frozenlake, Sofacy Group, Strontium, UAC-028, and many more aliases), which IBM X-Force tracks as ITG05 in
a new report
.
Besides the convincing government-themed lures and three new variants of custom backdoors, the campaign stands out most for the information it targets: Fancy Bear appears to be aiming for highly specific information of use to the Russian government.
Fancy Bear has utilized at least 11 unique lures in campaigns targeting organizations in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.
The lures look like official documents associated with international governments, covering themes as broad as finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, and defense industrial production.
Some of these are legitimate, publicly accessible documents. Others, interestingly, appear to be internal to specific government agencies, raising the question of how Fancy Bear got its hands on them in the first place.
X-Force does not have insight into whether ITG05 has successfully compromised the impersonated organizations, notes Claire Zaboeva, threat hunter for IBM X-Force. As it is possible ITG05 leveraged unauthorized access to collect internal documents, we have notified all imitated parties of the activity prior to publication as a part of our Responsible Disclosure Policy.
Alternatively, Fancy Bear/ITGO5 may have merely imitated real files. For instance, some of the uncovered documents feature noticeable errors like misspelling the names of principal parties in what appear to be official government contracts, she said.
Another important quality of these lures is that they are quite specific.
English-language examples include a cybersecurity policy paper from a Georgian NGO, and a January itinerary detailing the 2024 Meeting and Exercise Bell Buoy (XBB24) for participants of the US Navys Pacific Indian Ocean Shipping Working Group (PACIOSWG).
And there are the finance-themed lures: a Belarussian document with recommendations for creating commercial conditions to facilitate interstate enterprise by 2025, in alignment with a Eurasian Economic Union initiative; an Argentine Ministry of Economy budgetary policy document offering strategic guidelines for assisting the president with national economic policy; and more along these lines.
It is likely the collection of sensitive information regarding budget concerns and the security posture of global entities is a high-priority target given ITG05s established mission space, X-Force said in its report on the campaign.
Argentina, for example, recently rejected an invitation to join the BRICS (Brazil, Russia, India, China, South Africa) trade organization, so it is possible that ITG05 seeks to attain access that may yield insight into the priorities of the Argentine government, X-Force said.
Besides specificity and an appearance of legitimacy, the attackers use one more psychological trick to ensnare victims: presenting them initially with only a blurred version of the document. As in the image below, recipients can see just enough detail to make out that these documents appear official and important, but not enough to avoid having to click on them.
When victims on attacker-controlled sites click to view the lure documents, they download a Python backdoor called Masepie. First discovered in December, its capable of establishing persistence in a Windows machine and enabling the downloading and uploading of files and arbitrary command execution.
One of the files Masepie downloads to infected machines is Oceanmap, a C#-based tool for command execution via the Internet Message Access Protocol (IMAP). Oceanmaps original variant — not the one used here — had information-stealing functionality which has since been excised and transferred to Steelhook, the other Masepie-downloaded payload associated with this campaign.
Steelhook is a PowerShell script whose job is to exfiltrate data from Google Chrome and Microsoft Edge via a webhook.
More notable than its malware is Fancy Bears immediacy of action. As
first described
by Ukraines Computer Emergency Response Team (CERT-UA), Fancy Bear infections within the first hour of landing on a victim machine download backdoors and conduct reconnaissance and lateral movement via stolen NTLMv2 hashes for relay attacks.
Therefore, potential victims need to act quickly or, better yet, prepare in advance for their infections. They can do so by following IBMs laundry list of recommendations: monitoring for emails with URLs served by Fancy Bears hosting provider, FirstCloudIT, and suspicious IMAP traffic to unknown servers, addressing its favored vulnerabilities — such as CVE-2024-21413, CVE-2024-21410, CVE-2023-23397, CVE-2023-35636 — and much more.
ITG05 will continue to leverage attacks against world governments and their political apparatus to provide Russia with advanced insight into emergent policy decisions, the researchers concluded.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks