Ukraine Tracks Multiple Spear Phishing Campaigns From Russia – Source: www.govinfosecurity.com

Russian GRU Hackers Reach for Government Email Inboxes

Mihir Bagwe (MihirBagwe) •
June 20, 2023    

Cybersecurity defenders in Ukraine revealed multiple Russian spearphishing campaigns including an effort by Kremlin military intelligence to penetrate open source email servers used by government agencies.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

The Computer Emergency Response Team of Ukraine in collaboration with the cybersecurity firm Recorded Future revealed Tuesday details of a spearphishing campaign affecting Roundcube Webmail servers. Likely targets included an unidentified central Ukrainian government agency and a regional prosecutor’s office, Recorded Future says.

Ukrainian authorities identify the perpetrator as APT28, a unit of the foreign intelligence branch of the general staff of Russia’s military, itself known as the GRU. Russian hackers sent phishing emails to more than 40 Ukrainian organizations, they say.

CERT-UA on Monday identified a separate campaign using email address attempting to emulate tech support of popular web portal Ukr.net. An attached PDF contained a link to a duped version of the web portal in a bid to harvest credentials. The bait threatened to block users unless they reauthenitcated their account with the malicious link. Ukrainan official attributed the campaign to an actor dubbed UAC-0102.

Close observers of Ukranian cyberspace have noted intensifying phishing campaigns from Russian sources in recent months. Researchers from Google’s Threat Analysis Group reported that in the first quarter of this year, 60% of observed phishing attacks launched by Russia targeted users in Ukraine (Ukraine Facing Phishing Attacks, Information Operations).

The latest APT28 campaign additionally performed reconnaissance activity of additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment. The infrastructure has been in place since November 2021, Recorded Future says.

GRU hackers used news of the ongoing Russian invasion as spearphishing.bait, at least in one case using the email address ukraine_news@meta.ua. The emails contained malicious JavaScript file attachment exploiting CVE-2020-35730, a cross-site scripting flaw in Roundcube Webmail. The code fetched and executed two further JavaScrpt palyloads.Other flaws exploited by the hackers are CVE-2020-1264 and CVE-2021-44026. The scripts were designed to redirect incoming emails and gather session cookies, user information and contacts.

Recorded Future says this campaign shows signs of overlap with a 2022 APT28 campaign to exploit now-patched Microsoft Outlook zero day CVE-2023-23397. Among the similarities is a likely-GRU owned IP address used in the 2022 campaign and the Roundcube campaign.