Thought Leadership
The notorious Russian hacker group Fancy Bear has targeted defense companies that supply weapons to Ukraine. This is the result of a recent study by the German security company Eset from Jena.
The attacks were then primarily directed against manufacturers of Soviet weapons technology in Bulgaria, Romania and Ukraine, which play a key role in the defensive struggle against the Russian invasion. However, arms manufacturers in Africa and South America were also affected.
The hacker group Fancy Bear is also known as Sednit or APT28. It is also believed to have been responsible for the attacks on the German Bundestag (2015), US politician Hillary Clinton (2016) and the SPD party headquarters (2023). According to experts, the group is part of a larger strategy by Russian intelligence services to use cyber attacks as a means of political influence and destabilization. In addition to espionage, the focus is also on targeted disinformation campaigns aimed at Western democracies.
Attack via manipulated webmail systems
In the current espionage campaign, dubbed “Operation RoundPress”, the hackers exploited vulnerabilities in popular webmail software, including the programs Roundcube, Zimbra, Horde and MDaemon. A number of vulnerabilities could have been eliminated by good software maintenance. In one case, however, the affected companies were virtually powerless because the attackers were able to exploit a previously unknown vulnerability in MDaemon that could not initially be closed.
According to the findings of the Eset researchers, the attacks are usually launched using manipulated emails that disguise themselves as news reports. Seemingly reputable sources such as the Kyiv Post or the Bulgarian news portal News.bg are used as senders. As soon as the email is opened in the browser, a hidden malicious code is launched. Spam filters are successfully bypassed.
Two-factor protection bypassed
When analyzing the attacks, the experts from Jena were able to identify the malware “SpyPress.MDAEMON”. The hacker program is not only able to read out access data and track emails. It can even override two-factor authentication. Two-factor authentication (2FA for short) is an additional security measure when logging into online accounts or accessing sensitive data. It ensures that not only a password is sufficient to gain access, but that a second proof of identity is also required. However, the hackers at Fancy Bear have succeeded in several cases in circumventing 2FA protection and gaining permanent access to mailboxes using so-called application passwords.
“Many companies operate outdated webmail servers,” said Eset researcher Matthieu Faou. “Simply displaying an email in the browser can be enough to execute malicious code without the recipient actively clicking on anything.”
dpa
