Ukraine Tracks Multiple Spear-Phishing Campaigns From Russia

Russian GRU Hackers Reach for Government Email Inboxes
Ukraine Tracks Multiple Spear-Phishing Campaigns From Russia
A Ukrainian soldier in Kharkiv Oblast in a photo published Oct. 27, 2022 (Image: National Guard of Ukraine)

Cybersecurity defenders in Ukraine revealed multiple Russian spear-phishing campaigns including an effort by Kremlin military intelligence to penetrate open-source email servers used by government agencies.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The Computer Emergency Response Team of Ukraine in collaboration with the cybersecurity firm Recorded Future revealed Tuesday details of a spear-phishing campaign affecting Roundcube Webmail servers. Likely targets included an unidentified central Ukrainian government agency and a regional prosecutor's office, Recorded Future said.

Ukrainian authorities identify the perpetrator as APT28, a unit of the foreign intelligence branch of the general staff of Russia's military, which is known as the GRU. Russian hackers sent phishing emails to more than 40 Ukrainian organizations, authorities said.

CERT-UA on Monday identified a separate campaign using an email address attempting to emulate tech support of popular web portal Ukr.net. An attached PDF contained a link to a duped version of the web portal in a bid to harvest credentials. The bait threatened to block users unless they reauthenticated their accounts with the malicious link. Ukrainian officials attributed the campaign to an actor dubbed UAC-0102.

Close observers of Ukrainian cyberspace have noted intensifying phishing campaigns from Russian sources in recent months. Researchers from Google's Threat Analysis Group reported that in the first quarter of this year, 60% of observed phishing attacks launched by Russia targeted users in Ukraine (see: Ukraine Facing Phishing Attacks, Information Operations).

The latest APT28 campaign also performed reconnaissance activity for additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment. The infrastructure has been in place since November 2021, Recorded Future said.

GRU hackers used news of the ongoing Russian invasion as spear-phishing bait, at least in one case using the email address ukraine_news@meta.ua. The emails contained a malicious JavaScript file attachment exploiting CVE-2020-35730, a cross-site scripting flaw in Roundcube Webmail. The code fetched and executed two further JavaScript payloads. Other flaws exploited by the hackers are CVE-2020-12641 and CVE-2021-44026. The scripts were designed to redirect incoming emails and gather session cookies, user information and contacts.

Recorded Future said this campaign shows signs of overlap with a 2022 APT28 campaign to exploit now-patched Microsoft Outlook zero-day CVE-2023-23397. Among the similarities is a likely GRU-owned IP address used in the 2022 campaign and the Roundcube campaign.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.