Fancy Bear Hacks on Ukraine's Arms Suppliers: Operation RoundPress Revealed
Unscrupulous cybercriminals zero in on key weapons vendors, aiming to disrupt the supply of arms to Ukraine. - Armed Suppliers in Ukraine fall prey to cyberattacks by hackers
Here's a lowdown on the latest cyber espionage scheme stirring up trouble in the arms industry supplying Ukraine. The infamous hacker group Fancy Bear, also known as Sednit or APT28, is once again in the spotlight thanks to a recent study by Slovak security firm Eset based in Bratislava.
These cunning cyber crooks set their sights on manufacturers of Soviet-era weaponry in Bulgaria, Romania, and Ukraine. These brands play a pivotal role in Ukraine's defense against Russia's relentless invasion. However, the attack isn't confined to Eastern Europe - industries in Africa and South America were also in the crosshairs.
Using a slick operation christened "Operation RoundPress," the hackers took advantage of vulnerable webmail software flaws, with targets including Roundcube, Zimbra, Horde, and MDaemon. While some vulnerabilities could be fixed with routine updates, many companies simply didn't bother, leaving their systems exposed. In some cases, the attackers even exploited a previously unknown vulnerability in MDaemon, making it tough to apply a patch right away.
The attacks typically started with emails that appeared to be news alerts from reputable sources such as the Kyiv Post or News.bg. These emails were delivered in browsers, facilitating the covert execution of malware alone - no need for the recipient to click anything.
The Eset researchers discovered the malicious software "SpyPress.MDAEMON" during their investigation. This sneaky software isn't only keen on pilfering credentials and emails, but it can also bypass two-factor authentication. Two-factor authentication is a security measure requiring a second verification code to access online accounts or sensitive information. Shockingly, in multiple cases, Fancy Bear managed to bypass 2FA, gaining persistent access to mailboxes using application passwords.
Matthieu Faou, an Eset researcher, commented on the matter, saying, "Many companies still operate with outdated webmail servers. Just opening an email in a browser can be enough to trigger malware execution without the recipient actively clicking on anything."
More Info:
- Operation RoundPress: Fancy Bear's cyber espionage scheme aims to steal confidential data from email accounts of high-ranking officials and defense contractors by exploiting webmail flaws and XSS vulnerabilities.
- Spearphishing with XSS Vulnerabilities: Fancy Bear utilizes cross-site scripting (XSS) vulnerabilities to surreptitiously inject harmful JavaScript into webmail pages, potentially compromising sensitive data.
- Webmail Exploitation: Attacks on various webmail software, both known vulnerabilities and zero-day exploits, provide Fancy Bear unauthorized access to webmail credentials, contacts, and messages.
- Bypassing Security Measures: Fancy Bear employs methods to bypass two-factor authentication, further compromising the targeted systems.
- Geographical Targets: The campaign targets Ukrainian entities and defense companies, primarily in Bulgaria and Romania, which produce Soviet-era weapons for Ukraine. Additionally, governments in Africa, Europe, and South America are in the line of fire.
ESET associates this campaign with Fancy Bear, which has links to Russia's Main Intelligence Directorate (GRU), highlighting the group's role in broader Russian espionage activities related to the Ukraine conflict.
- The recent cyber espionage scheme, Operation RoundPress, orchestrated by Fancy Bear, is not only targeting EC countries like Bulgaria and Romania, but also industries in Africa and South America, with a significant focus on Ukraine's defense contractors.
- The employment of outdated webmail servers and lack of updates to fix known vulnerabilities have left various industries, including those in the defense sector, susceptible to attacks like Operation RoundPress, as witnessed in this hack.
- In the realm of politics and general-news, the recent hack on Ukraine's arms suppliers by Fancy Bear underscores the importance of cybersecurity and the potential threats posed by technology in crime and justice, particularly in cases of cyber espionage.
