Russian hackers breach Ukrainian government and military entities

The Fancy Bear group has previously attacked German and American government bodies

A Russia-linked cyber gang has breached email servers belonging to several organisations in Ukraine, including some in the government.

The APT28 group, which goes by a variety of other names including Fancy Bear, is often linked to Russia's General Staff Main Intelligence Directorate, or GRU.

It has attacked both private and public organisations in the past, nearly always to promote Russian interests.

This time the group breached Roundcube email servers, a web-based client, by sending emails exploiting interest in the war in Ukraine.

"The campaign leveraged news about Russia's war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers...using CVE-2020-35730, without engaging with the attachment," wrote Recorded Future, which first discovered the attack.

"We identified BlueDelta activity highly likely targeting a regional Ukrainian prosecutor's office and a central Ukrainian executive authority, as well as reconnaissance activity involving additional Ukrainian government entities and an organisation involved in Ukrainian military aircraft infrastructure upgrade and refurbishment."

As well as compromising servers, APT28 used email attachments to exploit the CVE-2020-35730, CVE-2020-12641 and CVE-2021-44026 vulnerabilities. The aim was to run reconnaissance and exfiltration scripts, redirect incoming emails and gather session cookies, user information and address books.

Recorded Future estimates that the infrastructure APT28 used in the attacks has been operational since late 2021.

APT28 / Fancy Bear has form in attacking government entities. It has previously been linked to attacks targeting the German Foreign and Defense Ministries, the Democratic National Committee and the US Senate.