Russian state hackers are conducting targeted phishing campaigns in at least nine countries across four continents. Their emails advertise official government business and, if successful, threaten not only the organization’s sensitive data but also strategically important geopolitical intelligence.
Such a sophisticated, multi-pronged plot could only be pulled off by a group as prolific as Fantasy bear (also known as APT28, Forest Blizzard, Frozenlake, Sofacy Group, Strontium, UAC-028, and many other aliases), which IBM X-Force tracks as ITG05 in a new relationship.
In addition to the convincing government-themed lures and three new custom backdoor variants, the campaign stands out above all with the information it targets: Fancy Bear appears to target highly specific information useful to the Russian government.
Government phishing baits
Fancy Bear has used at least 11 unique lures in campaigns targeting organizations in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan and the United States.
The decoys appear to be official documents associated with international governments, covering broad topics such as finance, critical infrastructure, executive commitments, cybersecurity, maritime security, healthcare and defense industrial production.
Some of these are legitimate and publicly available documents. Others, curiously, appear to be internal to specific government agencies, raising the question of how Fancy Bear got its hands on them in the first place.
“X-Force has no information on whether ITG05 was able to successfully compromise the impersonated organizations,” notes Claire Zaboeva, threat hunter for IBM X-Force. “Because it is possible that ITG05 exploited unauthorized access to collect internal documents, we notified all imitated parties of the activity prior to publication as part of our responsible disclosure policy.”
Alternatively, Fancy Bear/ITGO5 may have simply imitated real files. “For example, some of the documents discovered have obvious errors such as misspellings of the names of key parties in what appear to be official government contracts,” she said.
A potential reason?
Another important quality of these baits is that they are quite specific.
English-language examples include a cybersecurity policy document from a Georgian NGO and a January itinerary detailing the 2024 Bell Buoy Meeting and Practice (XBB24) for participants in the Navy’s Pacific Indian Ocean Shipping Working Group (PACIOSWG) American.
And there are the financial-themed attractions: a Belarusian document with recommendations for creating trading conditions to facilitate interstate business by 2025, in line with an initiative of the Eurasian Economic Union; a budget policy document from Argentina’s Ministry of Economy that offers “strategic guidelines” to assist the president in national economic policy; and more in this sense.
“Gathering sensitive intelligence regarding budgetary issues and the security posture of global entities is likely to be a high-priority objective given the mission space established by ITG05,” X-Force said in its campaign report.
Argentina, for example, recently rejected an invitation to join the BRICS (Brazil, Russia, India, China, South Africa) trade organization, so “it is possible that ITG05 seeks to gain access that can provide information on priorities of the Argentine government,” X-Force said.
Post-exploitation activities
In addition to specificity and the appearance of legitimacy, attackers use another psychological trick to trap victims: initially presenting them with only a blurry version of the document. As in the image below, recipients can see enough detail to understand that these documents appear official and important, but not enough to avoid having to click on them.
Example of recall document. Source: IBM
When victims on attacker-controlled sites click to view the bait documents, they download a Python backdoor called “Masepie.” First discovered in December, it is capable of establishing persistence on a Windows machine and allowing downloading and uploading of files and arbitrary execution of commands.
One of the files that Masepie downloads to infected machines is “Oceanmap”, a C#-based tool for executing commands via Internet Message Access Protocol (IMAP). The original Oceanmap variant, not the one used here, had information stealing capabilities that have since been eliminated and ported to “Steelhook”, the other payload downloaded by Masepie associated with this campaign.
Steelhook is a PowerShell script whose job is to exfiltrate data from Google Chrome and Microsoft Edge via a webhook.
More notable than its malware is Fancy Bear’s immediacy of action. AS described above by Ukraine’s Computer Emergency Response Team (CERT-UA), Fancy Bear infections within the first hour of landing on the victim’s machine download backdoors and conduct reconnaissance and lateral movement via stolen NTLMv2 hashes for relay attacks.
Therefore, potential victims must act quickly or, better yet, prepare for infections in advance. They can do this by following IBM’s long list of recommendations: monitoring emails with URLs served by Fancy Bear’s hosting provider, FirstCloudIT, and suspicious IMAP traffic to unknown servers, addressing its favorite vulnerabilities, such as CVE-2024-21413, CVE-2024 -21410, CVE-2023-23397, CVE-2023-35636 — and much more.
“ITG05 will continue to exploit attacks against world governments and their political apparatuses to provide Russia with advanced intelligence on emerging political decisions,” the researchers concluded.