Russia’s APT28 (also known as “Fancy Bear” or “BlueDelta”) is using spear phishing to compromise Ukrainian government and military entities, according to researchers at Recorded Future. The phishing emails are designed to exploit vulnerabilities in the open-source webmail software Roundcube.
APT28 is a threat actor associated with Russia’s military intelligence agency, the GRU.
“The BlueDelta activity, identified by Insikt Group, appears to have been operational since November 2021,” the researchers write. “The campaign overlaps with activity attributed by CERT-UA to APT28 (also known as Forest Blizzard and Fancy Bear), which multiple Western governments attribute to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In this operation, BlueDelta primarily targeted Ukrainian organizations, including government institutions and military entities involved in aircraft infrastructure.”
The threat actor is targeting both public- and private-sector entities in Ukraine.
“BlueDelta has demonstrated a long-standing interest in gathering intelligence on entities in Ukraine and across Europe, primarily among government and military/defense organizations,” the researchers write. “The most recent activity very likely represents a continued focus on these entities and specifically those within Ukraine. We assess that BlueDelta activity is likely intended to enable military intelligence-gathering to support Russia’s invasion of Ukraine and believe that BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts.”