Russian state hackers are performing targeted phishing campaigns in at least nine countries spread across four continents. Their emails tout official government business and, if successful, threaten not just sensitive organizational data, but also geopolitical intelligence of strategic importance.
Such a sophisticated, multi-pronged plot could only be wrought by a group as prolific as Fancy Bear (aka APT28, Forest Blizzard, Frozenlake, Sofacy Group, Strontium, UAC-028, and many more aliases still), which IBM X-Force tracks as ITG05 in a new report.
Besides the convincing government-themed lures and three new variants of custom backdoors, the campaign stands out most for the information it targets: Fancy Bear appears to be aiming for highly specific information of use to the Russian government.
Government Phishing Lures
Fancy Bear has utilized at least 11 unique lures in campaigns targeting organizations in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.
The lures look like official documents associated with international governments, covering themes as broad as finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, and defense industrial production.
Some of these are legitimate, publicly accessible documents. Others, interestingly, appear to be internal to specific government agencies, raising the question of how Fancy Bear got its hands on them in the first place.
“X-Force does not have insight into whether ITG05 has successfully compromised the impersonated organizations,” notes Claire Zaboeva, threat hunter for IBM X-Force. “As it is possible ITG05 leveraged unauthorized access to collect internal documents, we have notified all imitated parties of the activity prior to publication as a part of our Responsible Disclosure Policy.”
Alternatively, Fancy Bear/ITGO5 may have merely imitated real files. “For instance, some of the uncovered documents feature noticeable errors like misspelling the names of principal parties in what appear to be official government contracts,” she said.
A Potential Motive?
Another important quality of these lures is that they are quite specific.
English language examples include a cybersecurity policy paper from a Georgian NGO, and a January itinerary detailing the 2024 Meeting and Exercise Bell Buoy (XBB24) for participants of the US Navy’s Pacific Indian Ocean Shipping Working Group (PACIOSWG).
And there are the finance-themed lures: a Belarussian document with recommendations for creating commercial conditions to facilitate interstate enterprise by 2025, in alignment with a Eurasian Economic Union initiative, an Argentine Ministry of Economy budgetary policy document offering “strategic guidelines” for assisting the president with national economic policy, and more along these lines.
“It is likely the collection of sensitive information regarding budget concerns and the security posture of global entities is a high-priority target given ITG05’s established mission space,” X-Force said in its report on the campaign.
Argentina, for example, recently rejected an invitation to join the BRICS (Brazil, Russia, India, China, South Africa) trade organization, so “it is possible that ITG05 seeks to attain access that may yield insight into the priorities of the Argentine government,” X-Force said.
Post-Exploitation Activity
Besides specificity and an appearance of legitimacy, the attackers use one more psychological trick to ensnare victims: presenting them initially with only a blurred version of the document. As in the image below, recipients can see just enough detail to make out that these documents appear official and important, but not enough to avoid having to click on them.
Sample lure document; Source: IBM
When victims on attacker-controlled sites click to view the lure documents, they download a Python backdoor called “Masepie.” First discovered in December, it’s capable of establishing persistence in a Windows machine, and enabling the downloading and uploading of files and arbitrary command execution.
One of the files Masepie downloads to infected machines is “Oceanmap,” a C#-based tool for command execution via the Internet Message Access Protocol (IMAP). Oceanmap’s original variant – not the one used here – had information-stealing functionality which has since been excised and transferred to “Steelhook,” the other Masepie-downloaded payload associated with this campaign.
Steelhook is a PowerShell script whose job is to exfiltrate data from Google Chrome and Microsoft Edge via a webhook.
More notable than its malware is Fancy Bear’s immediacy of action. As first described by Ukraine’s Computer Emergency Response Team (CERT-UA), Fancy Bear infections with the first hour of landing on a victim machine, download backdoors and conduct reconnaissance and lateral movement via stolen NTLMv2 hashes for relay attacks.
So potential victims need to act quickly or, better yet, prepare in advance for their infections. They can do so by following IBM’s laundry list of recommendations: monitoring for emails with URLs served by Fancy Bear’s hosting provider, FirstCloudIT, and suspicious IMAP traffic to unknown servers, addressing its favored vulnerabilities – such as CVE-2024-21413, CVE-2024-21410, CVE-2023-23397, CVE-2023-35636 – and much more.
“ITG05 will continue to leverage attacks against world governments and their political apparatus to provide Russia with advanced insight into emergent policy decisions,” the researchers concluded.