Ukraine at D+482: Fancy Bear sighting.
N2K logoJun 21, 2023

Fighting continues as Ukraine's Ministry of Defense says its counteroffensive has hardly begun. GRU cyber operators are found active in Ukrainian mail servers. 

Ukraine at D+482: Fancy Bear sighting.

Fighting continues much as it has since the weekend, with Ukrainian forces making small gains, and Russian forces remaining on the tactical and operational defensive, with continued drone and missile strikes against Ukrainian cities. The Institute for the Study of War cites Ukrainian Deputy Defense Minister Hanna Malyarto the effect "that Russian forces have committed significant forces to stop Ukrainian offensives, making Ukrainian advances difficult. Malyar added that ongoing Ukrainian operations have several tasks that are not solely focused on liberating territory and that Ukrainian forces have yet to start the main phase of counteroffensive operations." What the tasks might be that aren't focused on regaining occupied territory she doesn't say, but attrition of Russian forces is an obvious candidate. So is "showing the Russians that the war is not worth fighting," as an essay in the Atlantic puts it.

Russia has made a significant investment in fixed field fortifications along the approaches to Crimea. "Intense fighting continues in sectors of southern Ukraine. However, over recent weeks, Russia has continued to expend significant effort building defensive lines deep in rear areas, especially on the approaches to occupied Crimea," the British Ministry of Defence writes in this morning's situation report. "This includes an extensive zone of defences of 9 km in length, 3.5 km north of the town Armyansk, on the narrow bridge of land connecting Crimea to the Kherson region. These elaborate defenses highlight the Russian command's assessment that Ukrainian forces are capable of directly assaulting Crimea. Russia continues to see maintaining control of the peninsula as a top political priority."

Fancy Bear noses into Ukrainian email servers.

The GRU's APT28 group, Fancy Bear, used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) against Ukrainian email servers in the course of a renewed and recently detected Russian cyberespionage campaign. The attack's success was enabled, CERT-UA says, by the victims' continued use of an outdated version of the Roundcube open-source webmail software, a version that remains susceptible to SQL injection attacks.

CERT-UA credits the detection of the activity to information received from a Western company working within a program of regular information exchange. "We would like to take this opportunity to express our gratitude to the researchers of the international company, with whom the prompt exchange of information made it possible to detect attempts to implement a cyber threat in a timely manner." The company is unnamed, but it's clearly Recorded Future, given the link CERT-UA provides to the research that tipped them off to the GRU campaign.

Recorded Future says as much itself. An extensive account published yesterday by the company's Insikt Group says, "The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment," the researchers say. "We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022." BlueDelta, which is an activity, not a threat group, overlaps with other activity credibly associated with Russia's GRU, specifically APT28, that is, Fancy Bear. Its initial approach is spearphishing, with news accounts of Russia's war against Ukraine serving as the typical phishbait.

BlueDelta's goal is collection. Recorded Future concludes that the activity is "likely intended to enable military intelligence-gathering to support Russia’s invasion of Ukraine." This and similar activity will in all probability persist for the duration of Russia's war.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warns that APT28 is capable and dangerous. “APT28 has been hunting in Ukrainian cyberspace since 2013," he wrote. "This intrusion is significant, and I am concerned that they might escalate and use wipers to leverage systemic destructive attacks.”  

Erich Kron, Security Awareness Advocate at KnowBe4, writes to explain why this sort of attack against an email server represents a significant threat. "This attack is unique and dangerous in that unlike in most situations, the end user does not need to open or interact with an infected attachment in the email," he says. "Simply opening the email is enough to cause infection. By pairing these attacks with news content that is relevant to the recipients, the attackers have a very good chance of getting the potential victims to open the intended e-mail, starting the infection. For the time being, users of the Roundcube webmail reader should be very cautious or should consider a different email reading platform until the vulnerability is resolved. They should also be very suspicious of any emails that are unexpected and that trigger a strong emotional response. For organizations that use the Roundcube webmail reader, it's important that they patch the vulnerability as soon as a fix is available or that they mitigate the issue in some other way such as blocking potentially dangerous content within the messages."