Ever since Russia’s invasion, organizations in Ukraine have constantly been the target of phishing attacks. Google’s Threat Analysis Group (TAG), which has been monitoring the disrupting attacks against Ukraine, revealed that the country received roughly 60% of the phishing attacks originating from Russia between January and March.
Speaking in the same line, Recorded Future’s Insikt Group in partnership with CERT-UA has uncovered a new spear-phishing campaign targeting high-profile entities in Ukraine. Tracked as BlueDelta activity, the campaign appears to be operational since November 2021.
More about the campaign
The BlueDelta campaign leverages news themes related to Ukraine to convince recipients into opening phishing emails.
- These emails include exploits to compromise Roundcube webmail servers vulnerable to previously discovered vulnerabilities - CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026.
- The campaign is attributed to APT28 aka Fancy Bear and overlaps with the phishing activity that exploited a Microsoft Outlook zero-day vulnerability in 2022.
- The campaign collects intelligence from organizations such as government institutions and military entities associated with aircraft infrastructure.
Ukraine espionage
- Lately, Symantec shared details of a new Gamaredon campaign that focused on acquiring military and security intelligence on Ukrainian military service members, air strikes, arsenal inventories, and military training activities.
- In another campaign, Ukrainian government agencies were targeted by malicious emails containing fake Windows update guides. The campaign was the work of the Fancy Bear APT group, which aimed at extracting data from the victims’ computers.
- In February a Russian hacker group, collectively known as Nodaria, used a new Graphiron malware to steal a wide range of system information from government agencies.
Final words
Researchers have suggested a few mitigations against the latest phishing attack. These include configuring IDS, IPS, or any network defense mechanisms to block malicious activities at the endpoints. Further, it is suggested to update the vulnerable Roundcube webmail servers to the latest versions to protect your environment from the exploits.