On January 31, 2024, DuskRise's Cluster 25 reported a newly launched Russian state-sponsored campaign which targets entities adversarial to the Russian government within and beyond the Russian boundaries. The targets appears to be especially on Russian dissidents and opposition groups.
According to the Cluster 25 report, targeted entities are located in the United States (US), Mexico, Portugal (which stands out as the country with the largest amount of reported activities - fifteen - nearly double than the US that stands in second place with eight), Turkey, and Israel. However, the source makes a number of references to a potential entity targeted in the Netherlands, a country that is not listed in the impacted ones.
The infection as described in the report starts with a phishing email presenting various lures that may grouped in two groups. A number of lures impersonate US government agencies such as NASA and USAID; others pose as copies of Russian-language opposition-oriented newspaper articles.
The attack chain relies on phishing for malware delivery. The victim receives a ZIP archive. Upon decompressing the archive, the victim is presented with a LNK file which has been disguised as a PDF. Upon interacting with the latter, the intended file opens on the victim's machine, but the infection continues in the background with a PowerShell script being launched an open-source tool, HTTP-Shell, being executed. The latter enables connection to the command-and-control server.
While the report does not state the objectives of the campaign, based on the infection chain, espionage appears to be primary objective of the actor. The latter has not been named in the report, but the activity is reportedly consistent with a Russian state-sponsored advanced persistent threat. The attack chain presents some commonalities with APT28-attributed activities reported in late December 2023.
These activities are reported in a landscape where APT28 has been consistently engaging in adversarial activities targeting NATO countries and Ukraine.
According to a post of the Ukrainian National Cybersecurity Coordination Center (NCSCC) published on January 28, 2024, Ukrainian military personnel has been targeted in a phishing campaign delivering fraudulent HTML login pages for the ukr[.]net mail service. According to the NCSCC assessment, the phishing scheme collects user-input data comprehensive of credentials and exfiltrates them to an Ubiquiti edge router with IP address consistent with a geolocation in Singapore.
NCSCC attributes this activity to APT28 ("Fancy Bear") based on the consistent usage of Ubiquiti edge routers in connection with phishing campaigns; the same technique was observed in May 2023 and reported in a Sekoia report.