Russia's Fancy Bear Hackers Infiltrate Arms Suppliers to Ukraine in Operation RoundPress
Cybercriminals Launch Assault on Ukrainian Weapons Vendors - Arms suppliers in Ukraine experience cyberattacks by hackers
Let's dive into the sneaky tactics of the infamous cyber-menaces, Fancy Bear, otherwise known as Sednit or APT28. ESET, a Slovak security firm, has unveiled that these hackers have been launching attacks on arms manufacturers distributing weapons to Ukraine—a move that's crucial for Ukraine's defense against Russia's aggressive invasion. This operation, christened as Operation RoundPress, has additionally left arms factories in Africa and South America vulnerable.
Fancy Bear isn't new to causing headaches. They've been linked to some high-profile attacks, including the German Bundestag (2015), US presidential candidate Hillary Clinton (2016), and SPD's headquarters (2023). Experts consider them an extension of Russian intelligence services, using cyberattacks as weapons for political manipulation and destabilization. They're also known for disinformation campaigns aimed at Western democracies.
This latest espionage campaign is no exception. Fancy Bear took advantage of weaknesses in commonly used webmail software, such as Roundcube, Zimbra, Horde, and MDaemon. Many of these vulnerabilities could have been mitigated withregular software updates. In some instances, the group used an unknown vulnerability in MDaemon, which couldn't initially be patched, leaving affected companies defenceless.
The hackers' methods of attack typically begin with manipulated emails disguised as news alerts, pretending to be from legitimate sources like the Kyiv Post or News.bg. Opening these emails in a browser would execute hidden malware, bypassing spam filters. Researchers at ESET have discovered a malicious piece of spyware called "SpyPress.MDAEMON." This malware can steal login credentials, track emails, and even bypass two-factor authentication (2FA). Despite 2FA providing an extra layer of security, Fancy Bear hackers managed to bypass it in several instances, gaining permanent access to email accounts using application passwords.
Matthieu Faou, an ESET researcher, stated, "Many companies still operate with outdated webmail servers. Just viewing an email in a browser can be enough to execute malware without the recipient actively clicking on anything."
Key Insights:
- Fancy Bear used cross-site scripting (XSS) vulnerabilities to inject malicious JavaScript code into webmail pages.
- They exploited several vulnerabilities, including a zero-day vulnerability (CVE-2024-11182) and a known vulnerability (CVE-2020-35730) in Roundcube.
- The main targets were governmental entities and defense companies in Eastern Europe, particularly Ukraine, Bulgaria, and Romania, which produce Soviet-era weapons.
- Attacks not only stole sensitive data but also set up bypasses for two-factor authentication, like the SpyPress.MDAEMON payload.
- The EC countries, particularly Ukraine, Bulgaria, and Romania, have been targeted by Fancy Bear as they produce Soviet-era weapons, making them crucial for Ukraine's defense against Russia.
- Industry sectors such as arms manufacturing and defense companies in Eastern Europe have been specifically targeted by Fancy Bear’s cyberattacks as part of Operation RoundPress.
- Finance sectors could potentially be at risk due to Fancy Bear's ability to bypass two-factor authentication (2FA) and steal login credentials for email accounts.
- Aerospace and technology sectors may be vulnerable to Fancy Bear's tactics, as the hackers exploited known vulnerabilities in commonly used webmail software like Roundcube and MDaemon.
- Cybersecurity, politics, war-and-conflicts, general news, and crime-and-justice sectors are areas where disinformation campaigns from Fancy Bear have significant potential for manipulation and destabilization.
