Threat Management, Threat Intelligence

Europe subjected to multi-phase APT28 cyberespionage attacks

Russia and Presidential elections

Attacks with the Headlace information-stealing malware and credential-harvesting sites were deployed by Russian state-backed threat operation APT28 — also known as Fancy Bear, Sednit, BlueDelta, Sofacy Group, STRONTIUM, and Pawn Storm — against European networks as part of multi-stage espionage campaign between April and December, reports Security Affairs.

Organizations that passed the sandbox, operating system, and targeted country checks conducted by APT28 were injected with a malicious Windows BAT script that enabled shell command execution, according to a report from Recorded Future's Insikt Group.

Moreover, Ukraine's Ministry of Defence, the Azerbaijan Center for Economic and Social Development, and European railway systems were primarily targeted by the credential-harvesting sites with two-factor authentication bypass capabilities. Further analysis revealed most Headlace and credential-harvesting attacks launched by APT28 since 2022 have been targeted at Ukraine.

"Türkiye might seem like an unexpected target with 10%, but it’s important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.