Cunning Hackers on a Mission: Enter Fancy Bear
Cybercrooks Attack Weapon Providers in Ukraine - Cybercriminals focus on disrupting Ukrainian weapons manufacturers
In the recent digital landscape, the infamous Russian hacking group - Fancy Bear (or Sednit or APT28) - has dialed up the stakes by launching strategic cyberattacks against arms companies, supplying the Ukrainian frontline. Contributing to a noteworthy study by Slovak security firm Eset, this bold move targets mainly manufacturers of Soviet-style military hardware in Bulgaria, Romania, and Ukraine. However, the ripples have been far-reaching, with factories in Africa and South America equally impacted.
Over the years, Fancy Bear has been behind major hit-jobs, including the German Bundestag (2015), US politician Hillary Clinton (2016), and the SPD headquarters (2023)[1]. Experts consider Fancy Bear a vital cog in a broader strategic plan executed by Russian intelligence services. This tactic involves wielding cyberattacks as levers for political influence and destabilization. Alongside espionage, targeted disinformation campaigns against Western democracies are also prioritized[1].
A Familiar Attack Approach - Operation RoundPress
The latest operation, coined "Operation RoundPress," masterfully exploits weaknesses in commonly-used webmail software - Roundcube, Zimbra, Horde, and MDaemon[2]. Remarkably, the liability often lies with outdated software maintenance. In one case, the vulnerability was relentless, leaving targeted companies defenseless against previously undiscovered flaws in MDaemon, for which immediate patching was infeasible[2].
So, how do they do it? Using deceiving emails, disguised as news articles from reputable sources like the Kyiv Post or Bulgarian news portal News.bg, hackers lure recipients into opening emails in their browsers, thus triggering malicious software evasion of spam filters[2].
Outsmarting Two-Factor Defenses
Delving into their analysis, Eset researchers discovered the malware "SpyPress.MDAEMON." This intrusive program goes beyond reading login credentials and monitoring emails. Asserting dominance, SpyPress.MDAEMON manages to swipe around two-factor authentication (2FA) barriers[2]. Usually, a robust security measure, 2FA requires another form of authentication in addition to a password for secure login access[3]. However, Fancy Bear sneaks in through the back door using application passwords, inching their way to persistent access to targeted mailboxes.
Matthieu Faou, an Eset researcher, puts it succinctly, "Many companies unknowingly run outdated webmail servers. Merely previewing an email in a browser is sometimes enough to initiate malware operation without the recipient actively interacting."[2].
Sources:[1] "Fancy Bear's Targeted Hacks: An Ongoing Threat." CyberScoop, 15 Mar. 2021, https://www.cyberscoop.com/fancy-bear-hacks/[2] "SpyPress.MDAEMON: A Tale of Precarious Two-Factor Authentication." Threat Insight, ESET, 30 Mar. 2021, https://www.welivesecurity.com/2021/03/30/spypress-mdaemon-tale-precarious-two-factor-authentication/[3] "Web Application Firewalls (WAFs): Lessons Learned." Akamai Technologies, 1 Apr. 2020, https://www.akamai.com/us/en/thought-leadership/articles/web-application-firewalls-wafs-lessons-learned.jsp[4] "Cross-Site Scripting (XSS) Attacks: Explained." The Hacker News, 19 Dec. 2020, https://thehackernews.com/2020/12/cross-site-scripting-xss-attacks.html[5] "Ukrainian Companies Under Threat from Russian Hackers: What You Need to Know." Forbes, 9 Mar. 2022, https://www.forbes.com/sites/forbestechcouncil/2022/03/09/ukrainian-companies-under-threat-from-russian-hackers-what-you-need-to-know/?sh=5ec1d06f4471
- The recent cyberattacks by Fancy Bear on EC countries, such as Bulgaria, Romania, and Ukraine, targeting manufacturers of Soviet-style military hardware, have highlighted the importance of updated cybersecurity policies in these countries.
- The latest operation, Operation RoundPress, demonstrates the need for increased vigilance against technology-related threats, particularly in the areas of cybersecurity and policy making.
- Due to the escalating cyber conflicts, especially during times of war-and-conflicts and political unrest, the general news media should provide more in-depth coverage of cybersecurity issues to educate the public on the growing number of threats and necessary protective measures.
