The government’s Computer Emergency Response Team (CERT-UA), which operates under the State Special Communications Service of Ukraine, reports that a cyber threat has been detected from the APT28 hacker group (also known as Pawn Storm, Fancy Bear, BlueDelta).
It has been established that the espionage campaign was carried out using exploits for Roundcube (webmail software) and by sending emails with up-to-date news about the situation in Ukraine.
In particular, one of the emails with the subject line “Ukraine News” was received from the address “firstname.lastname@example.org” and contained a decoy content disguised as an article by NV (nv.ua).
Similar emails were sent to more than 40 Ukrainian organizations.
CERT-UA experts emphasize that the threat was facilitated by the use of an outdated version of Roundcube (1.4.1).
Attempts to implement the cyber threat were detected due to the prompt exchange of information with Recorded Future specialists.
“This case is an excellent example of the joint work of CERT-UA and the international company Recorded Future, which allowed us to identify the infrastructure from which the ART28 group carried out attacks on Ukrainian organizations,” said Viktor Zhora, Deputy Head of the State Special Communications Service of Ukraine.
As a reminder, in April, cybercriminals from the APT28 group attempted to attack Ukrainian government agencies with fake “operating system updates.”