Fancy Bear and Sandworm are targeting EU governments.
Two Russian APT groups are targeting European NATO member states with cyberespionage campaigns ahead of the EU parliamentary elections in May. Researchers at FireEye observed both large-scale and highly-targeted phishing operations launched by Sandworm and APT28 (that would be Fancy Bear) against European government institutions, with the goal of stealing credentials. FireEye says their efforts seem to be coordinated, although the two groups use different tools and techniques. Sandworm generally uses publicly-available hacking tools, while APT28 prefers custom-made malware and zero-day exploits (CNBC).
The campaigns are believed to have three primary objectives: stealing information and credentials for use in future attacks, gathering intelligence to give Russia a diplomatic edge, and collecting data to assist in information operations. FireEye didn’t disclose which organizations were targeted, or whether the attackers were able to get their hands on sensitive data, but it did note that attack campaigns of this size are generally successful (ZDNet).
It’s not clear if these campaigns are directly focused on influencing Europe’s upcoming elections, or if they're part of a more wide-ranging cyberespionage operation. Benjamin Read, senior manager of cyber espionage analysis at FireEye, said it's clear that "the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers." FireEye’s warning comes after an announcement from Microsoft last month, in which Microsoft warned that APT28 was launching phishing attacks against European think-tanks and non-profit organizations.