The Russian GRU-backed threat player APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware & credential-harvesting web pages.
APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, & TA422, is an advanced persistent threat (APT) group affiliated with Russia’s strategic military intelligence unit, the GRU.
Stealth & Sophistication
The hacks operates with an elevated level of stealth & sophistication, often demonstrating their adaptability through deep preparedness & custom tooling & relying on legitimate internet services (LIS) & ‘living off-the-land binaries’ (LOLBins) to conceal their operations within regular network traffic.
“From April-Dec. 2023, BlueDelta deployed Headlace malware in 3 distinct phases using geofencing techniques to target networks throughout Europe with a heavy focus on Ukraine,” Recorded Future’s Insikt Group said.
“BlueDelta’s espionage activities reflect a broader strategy aimed at gathering intelligence on entities with military significance to Russia in the context of its ongoing aggression against Ukraine.”
Spear-Phishing E-mails
HeadLace, as previously documented by the Computer Emergency Response Team of Ukraine (CERT-UA), Zscaler, Proofpoint, & IBM X-Force, is distributed via spear-phishing emails containing malicious links that, when clicked, initiate a multi-stage infection sequence to drop the malware.
BlueDelta seems to have employed a 7-stage infrastructure chain during the 1st phase to deliver a malicious Windows BAT script (i.e., HeadLace) that is capable of downloading & running follow-on shell commands, subject to sandbox & geofencing checks.
The 2nd phase, which began on Sept. 28, 2023, is notable for using GitHub as the starting point of the redirection infrastructure, while the 3rd phase switched to using PHP scripts hosted on InfinityFree beginning Oct. 17, 2023.
BlueDelta
“The last detected activity in Phase3 was in Dec. 2023,” the company stated. “Since then, BlueDelta likely ceased using InfinityFree hosting & favoured hosting infrastructure on webhook[.]site & mocky[.]io directly.”
BlueDelta has also been found to undertake credential harvesting operations designed to target services like Yahoo! & UKR[.]net by serving lookalike pages & ultimately trick victims into entering their credentials.
Another technique involved creating dedicated web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the entered credentials. Earlier this Feb., a U.S.-led law enforcement operation disrupted a botnet comprising Ubiquiti EdgeRouters that was put to use by APT28 for this purpose.
Ukrainian Ministry of Defence
Targets of the credential harvesting activity included the Ukrainian Ministry of Defence, Ukrainian weapons import & export companies, European railway infrastructure, & a think tank based in Azerbaijan.
“Successfully infiltrating networks associated with Ukraine’s Ministry of Defence & European railway systems could allow BlueDelta to gather intelligence that potentially shapes battlefield tactics & broader military strategies,” Recorded Future observed.
Turla
“Moreover, BlueDelta’s interest in the Azerbaijan Centre for Economic & Social Development suggests an agenda to understand & possibly influence regional policies.”
The development comes as another state-sponsored Russian threat group called Turla has been observed leveraging human rights seminar invitations as phishing email decoys to execute a payload similar to the TinyTurla backdoor using the Microsoft Build Engine (MSBuild).