Russian Hackers Launch Widespread Cyberattacks Targeting Global Intelligence

March 20, 2024

Russian state-sponsored hackers, known as Fancy Bear, are conducting sophisticated phishing campaigns targeting at least nine countries across four continents. The group is impersonating various governments in emails with the aim of stealing strategic intelligence. The campaign is notable for its focus on specific information that could be of use to the Russian government.

Fancy Bear has employed at least 11 unique lures in campaigns targeting organizations in countries including Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States. These lures are designed to resemble official documents related to international governments, covering topics ranging from finance and critical infrastructure to healthcare and defense production. Some of these documents are legitimate and publicly accessible, while others appear to be internal to specific government agencies, raising questions about how Fancy Bear obtained them.

IBM X-Force, which tracks Fancy Bear under the alias ITG05, notes that it is unclear whether the group has successfully compromised the impersonated organizations. The group may have gained unauthorized access to collect internal documents, or it may have simply imitated real files. Some of the documents feature noticeable errors, such as misspelling the names of principal parties in what appear to be official government contracts.

The lures used by Fancy Bear are quite specific, with examples including a cybersecurity policy paper from a Georgian NGO, a document detailing a 2024 Meeting and Exercise Bell Buoy for US Navy participants, and a Belarussian document with recommendations for creating commercial conditions to facilitate interstate enterprise. The collection of sensitive information regarding budget concerns and the security posture of global entities is likely a high-priority target for Fancy Bear.

The attackers also use psychological tricks to trap victims, presenting them with a blurred version of the document that requires clicking to view in detail. When victims click to view the lure documents on attacker-controlled sites, they download a Python backdoor called 'Masepie', which enables the downloading and uploading of files and arbitrary command execution. The backdoor downloads additional tools, including 'Oceanmap' and 'Steelhook', which are used for command execution and data exfiltration.

Fancy Bear acts immediately upon infecting a victim machine, downloading backdoors and conducting reconnaissance and lateral movement via stolen NTLMv2 hashes for relay attacks. IBM provides a list of recommendations to prepare for such infections, including monitoring for emails with URLs served by Fancy Bear's hosting provider, FirstCloudIT, and suspicious IMAP traffic to unknown servers. It also recommends addressing vulnerabilities such as CVE-2024-21413, CVE-2024-21410, CVE-2023-23397, and CVE-2023-35636.

The researchers conclude that Fancy Bear will continue to target world governments and their political apparatus to provide Russia with advanced insight into emergent policy decisions.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.