Researchers have discovered a new cyber operation against Ukrainian and Polish organizations, attributing it to the Russian state-controlled hacker group known as Fancy Bear.
During the attacks in December, Russian hackers sent phishing emails to their victims with malicious attachments. Once opened, these attachments infected targeted devices with the novel Masepie malware, according to a report from Ukraine’s computer emergency response team (CERT-UA).
The malware, written in the Python programming language, can upload files and execute commands, researchers said. In the latest campaign, the hackers used it to upload data-stealing malware called Steelhook, which targets web browsers, and a backdoor called Oceanmap, which leverages email software.
After the initial compromise, hackers also integrate open-source tools like Impacket and Smbexec into the system to perform reconnaissance. These tools are commonly used in penetration testing and ethical hacking to understand and exploit network vulnerabilities. However, they could also be misused by hackers for malicious purposes.
Researchers said that the hackers’ goal in this campaign was not to infect just one computer but to expand the attack to the entire network of the organization.
In Ukraine, the group’s victims included unnamed government agencies. Poland’s cyber agency hasn’t responded to a request for comment.
In 2023 alone, Fancy Bear, also known as APT28, targeted Ukrainian energy facilities, government agencies, and the military. France also accused the hackers of spying on French universities, businesses and think tanks.
The group is linked to Russia’s military intelligence agency (GRU) and primarily attacks government, energy, transportation and nongovernmental organizations in the U.S., Europe, and the Middle East.
The hackers commonly exploit publicly available vulnerabilities such as Microsoft Outlook flaws or a popular file archiver utility for Windows called WinRAR.
Earlier in December, the Polish cybersecurity agency said that Fancy Bear exploited the Microsoft Outlook vulnerability to gain access to mailboxes containing “high-value information.”
Source: The Record