Russia's 'Fancy Bear' APT Targets Ukrainian Energy Facility

The group, best known for 2016 US election interference and other attacks on Ukraine, used phishing emails offering pictures of women to lure its victim into opening a malicious attachment.

Dark Reading Staff, Dark Reading

September 6, 2023

1 Min Read
The colors of the Ukraine flag with code across it and the word "Hacked"
Source: ADragan via Shutterstock

Earlier this week, infamous Russian cyberespionage group Fancy Bear (aka APT28, Strontium, or Sofacy) was caught attacking a critical energy facility in Ukraine. The attack was ultimately thwarted by a cybersecurity professional working for the organization that was targeted.

Ukraine's Computer Emergency Response Team (CERT-UA) detected and explored the attack, it noted in a report. CERT-UA stated that the MO of the group was to use bulk phishing emails from a fake address that linked to a .ZIP archive, so that it could ultimately gain access to the organization's system and data.

The email CERT-UA shared included a message that read: "Hi! I talked to three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website." This is notably different from past malicious emails that Russian hackers have used, where the correspondence has included false government documents or illegitimate software updates. The recent email also included a BAT formatted file that would have executed harmful script once opened.

In addition to this, researchers noted that the attackers installed Tor onto the victim's computer, allowing for anonymous Internet browsing and difficulty tracing the data's root source.

This attempt at an attack comes after a period of cyber peace, as Ukraine's authorities have not reported an attack on its energy infrastructure since autumn 2022. There is concern as to whether these attacks will once again resume now that summer is coming to an end; and, given this most recent incident, those concerns could become a reality.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights