- Since 2022, Fancy Bear was targeting logistics organizations in the west
- The goal was to monitor foreign aid coming to Ukraine
- CCTV cameras at border crossings were monitored, as well
Fancy Bear, the infamous Russian state-sponsored threat actor, has been spying on “dozens” of organizations from Western and NATO countries, monitoring foreign aid moving into Ukraine. This is according to a joint cybersecurity advisory [PDF], published by 21 government agencies from the US, UK, Canada, Germany, France, Czech Republic, Poland, Austria, Denmark, and the Netherlands.
As per the report, Fancy Bear (also known as APT28) targeted logistics providers, technology companies, and government organizations involved in transporting aid to Ukraine.
All transportation modes were covered, including air, sea, and rail, and the organizations spanned different industries, from defense, to transportation, to maritime and air traffic management, and ultimately - to IT services.
Credential stuffing
The targeted companies were operating in Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. What’s more, the hackers were also monitoring CCTV cameras on border crossings for the same purpose.
To gain initial access, APT28 relied on credential guessing and brute-force attacks. They also ran spearphishing campaigns, and took advantage of software vulnerabilities.
By leveraging CVE-2023-23397, they targeted Microsoft Exchange, Roundcube Webmail, and WinRAR, allowing them to infiltrate the systems. Finally, they went for corporate VPNs and vulnerable SQL databases, and after compromising a network, moved laterally with tools such as PsExec and Impacket.
The attackers manipulated email mailbox permissions, and used Tor and VPNs to remain hidden while keeping tabs on sensitive communication.
The Russo-Ukrainian conflict demonstrated just how much warfare has changed in recent years. Besides the usual fronts - land, sea, and air, cyberspace has become a major battleground, with hackers and cybercriminals on both sides targeting sensitive information, and critical infrastructure.
The attack should “serve as a reminder that cyber-physical systems are now strategic targets for adversaries,” commented Andrew Lintell, General Manager, EMEA, at Claroty. “To combat this, organisations need full visibility into these environments and a risk-based approach to securing them. Many of these devices, such as security cameras, weren’t designed with modern threats in mind, so are increasingly vulnerable entry points.”
Via The Register
You might also like
- Russian hackers are attacking innocent companies to get access to their neighbors
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.