Spear phishing attacks launched by hackers
linked to Russia are using documents (both real and fake) from governments and
NGOs to attack organizations that typically work with them.
The hacking group is referred to as APT28, also as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, UAC-028.
The same adversary has used Israel-Hamas conflict related information to spread the HeaLace backdoor software, and spear-phishing attacks against organizations in Ukraine and Poland, with the intention to plant malware such as Masepie, Oceanmap, and Seelhook.
In addition, it has leveraged vulnerabilities in Microsoft Outlook (CVE-2023-23397) to steal NTLMv2 hash values, and use that for further attacks.
In the meantime, the IMF reported that multiple email accounts of its employees were compromised. It is not clear whether this is the result of the above mentioned attack or related to another Russia-linked hacking group referred to as Midnight Blizzard. This groups has been using password spray attack to compromise Exchange Online (part of the Microsoft Office 365 service suite) accounts.
The attackers used the "serch-ms:" URI protocol in Microsoft Windows to download malware stored on WebDAV servers they control.
