Russia's 'Fancy Bear' APT Targets Ukrainian Energy Facility

Earlier this week, infamous Russian cyberespionage group Fancy Bear (aka APT28, Strontium, or Sofacy) was caught attacking a critical energy facility in Ukraine. The attack was ultimately thwarted by a cybersecurity professional working for the organization that was targeted.

Ukraine's Computer Emergency Response Team (CERT-UA) detected and explored the attack, it noted in a report. CERT-UA stated that the MO of the group was to use bulk phishing emails from a fake address that linked to a .ZIP archive, so that it could ultimately gain access to the organization's system and data.

The email CERT-UA shared included a message that read: "Hi! I talked to three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website." This is notably different from past malicious emails that Russian hackers have used, where the correspondence has included false government documents or illegitimate software updates. The recent email also included a BAT formatted file that would have executed harmful script once opened.

In addition to this, researchers noted that the attackers installed Tor onto the victim's computer, allowing for anonymous Internet browsing and difficulty tracing the data's root source.

This attempt at an attack comes after a period of cyber peace, as Ukraine's authorities have not reported an attack on its energy infrastructure since autumn 2022. There is concern as to whether these attacks will once again resume now that summer is coming to an end; and, given this most recent incident, those concerns could become a reality.