Fancy Bears Get Busy

Uploaded on 2025-07-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW

The notorious Russian cyber-espionage gang known as Fancy Bear, also known as APT28, has increased its attacks against governments and military entities worldwide using new sophisticated cyber tools and technology.

Fancy Bear is perhaps best known in the United States for its hack and leak of Democratic National Committee emails in the lead-up to the 2016 presidential election.

Now, eleven Western countries have accused the hacking group of targeting defence, transport and tech firms involved in helping Ukraine.

British Foreign Secretary David Lammy said the UK's National Cyber Security Centre had discovered a sophisticated digital espionage tool used to harvest login credentials from online Microsoft products. He accused Russia of conducting a "sustained campaign of malicious cyber activity" targeting governments and institutions across Europe, and linked the activity to the UK's continued support of Ukraine.

Spies from Russia's military intelligence agency, the GRU, were "running a campaign to destabilise Europe", Lammy added.

New Zealand is the latest to join in international condemnation of cyber attacks by the Russian government and has imposed sanctions on more than 1,800 entities and individuals under the Russia Sanctions Act 2022, including the Head of the GRU and its cyber warfare units 74455 and 26165, known as Sandworm and Fancy Bear.

Active since 2007/8, this state-sponsored hacking gang has established itself as one of the most persistent and dangerous cyber adversaries, with a documented history of targeting high-value organisations across multiple continents including the United States, Ukraine, Germany, and France.

Since the beginning of the Russia-Ukraine war, the unit has increasingly turned its focus to collecting political and wartime intelligence from the conflict and using it. Recent intelligence indicates that Fancy Bear has significantly expanded its tactical capabilities, particularly focusing on entities connected to the Ukrainian conflict and Western logistics companies providing military support.

Fancy Bear has been developing its malware and attack methodologies to avoid detection, while maintaining access to critical infrastructure and sensitive government communications.

In a recent report from Cyfirma, analysts focused on the group’s latest campaign hitting Ukrainian government and military suppliers through highly sophisticated spear-phishing operations. These attacks leverage cross-site scripting vulnerabilities in widely-used webmail platforms including Roundcube, Horde, MDaemon, and Zimbra, allowing the attackers to deploy custom JavaScript malware payloads capable of exfiltrating sensitive data such as email messages, address books, and login credentials.

The group’s recent exploitation of CVE-2023-23397, CVE-2023-38831, and CVE-2023-20085 demonstrates their rapid adaptation to newly discovered vulnerabilities.

Their attack chains often begin with weaponised documents containing malicious macros that downgrade security settings and establish persistent backdoor access through malware families including HATVIBE and CHERRYSPY.

Web-based email services are one of Fancy Bear's preferred targets. A typical compromise will consist of web-based email users receiving an email urgently requesting that they change their passwords to avoid being hacked. The email will contain a link to a spoof website that is designed to mimic a real webmail interface, users will attempt to login and their credentials will be stolen.

Fancy Bear’s attack work continues to evolvee and includes sophisticated anti-analysis techniques and data collection capabilities.

Image: Ideogram

You Might Also Read:

Russia’s Nation-State Hackers: A Serious Threat To Global Security [extract]:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.