Security agencies in Europe are on high alert after a string of sophisticated cyber attacks on government email servers. Early investigations point towards hacking groups linked to the Kremlin being responsible.
A series of intrusions, which began late last year but was only recently discovered, compromised the email systems used by the governments and defense contractors of the small Eastern European nation and gave hackers access to the communications of high-ranking officials there, according to researchers at Cisco’s threat-intelligence division, Talos, who discovered the breach.
The Slovakian cybersecurity company ESET published a report last week describing how the Russia-linked hacking group APT28, also known as Fancy Bear and BlueDelta, abused cross-site scripting (XSS) bugs in widely used webmail servers such as Roundcube, Horde, MDaemon, and Zimbra.
Attackers sent booby-trapped phishing emails, frequently masquerading as news articles or links, that injected malicious code into the email bodies. This code, which was hidden from the user, then provided the hackers with login credentials, the ability to exfiltrate contact lists, and full access to email communications.
The initial targets detected have been government and defense organizations in Ukraine, Bulgaria and Romania. Even more alarmingly, ESET’s report says that governments in Africa, South America and additional European countries were also impacted, so there may be a broader campaign of espionage.
Few of the defense firms with compromised computer networks specialize in the manufacture of Soviet-era weapons now being sent to Ukraine, adding to the questions about the type of information the hackers were searching for.
APT28 has been involved in cyber espionage for several years and has been widely linked to Russia’s military intelligence agency (GRU). Their techniques frequently leverage well-documented flaws in webmail services, especially those not frequently patched by businesses.
Cybersecurity experts note that the remote trigger aspect of these vulnerabilities — typically requiring no more than opening an evil email message — makes for extremely effective attacks.
The latest round of attacks highlights the continued danger that state-sponsored hacking groups pose to European governments and critical infrastructure.
Organizations are warned – especially those in sensitive industries – to enable security features on webmail systems and train employees that could become involved in transferring funds about effective cybersecurity to avoid falling for sophisticated BEC manipulation maneuvers. Continued enquiries are being made in order to determine the entire mayhem caused by the data breach, including all the victims.
