.png)
Date: 22/03/2024
Where:
Europe, Central Asia, North and South America
Who’s involved:
IBM “X-Force” (threat intelligence), various cyber threat intelligence groups, APT28 AKA Fancy Bear (Russian State-Sponsored Threat Actor), ITG05 (identified group or campaign)
What happened?
Since mid-March 2024, IBM’s Threat Intelligence “X-Force” has been releasing findings on a new phishing campaign to steal sensitive information by targeting governments and NGOs across four continents.
The campaign, identified as “ITG05”, has significant overlap with APT28, famously identified as “Fancy Bear”. APT28 is connected to the Russian GRU, which means ITG05 is very likely part of a Russian military intelligence operation.
Ukraine’s CERT-UA identified the campaign as a threat as early as December, identifying one of the tools that would later be attributed to the ITG05 campaign.
As of late February 2024, ITG05 has been conducting phishing operations, both targeting and impersonating organizations from countries including but not limited to Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.
Analysis:
Reports from X-Force claim that the tools, tactics, and procedures observed in the ITG05 campaign strongly resemble Fancy Bear.
The sustained operational intensity and evolving methods of ITG05 indicate that the group will continue to carry out malicious activity against global targets to support Russian state objectives.
The phishing efforts orchestrated by ITG05 contain a blend of documents: some are sourced from public records while others seem to be crafted by the attackers.
The lures used by ITG05 span a wide array of themes and attempt to draw in targets, encompassing areas like finance, essential infrastructure, senior executive meetings, cybersecurity, maritime safety, healthcare, and defense manufacturing.
Many of the “lure” documents were designed to appear related to events happening in Israel and Palestine.
The backdoor-seeking malware, known as MASEPIE, was found in emails directed towards Polish and Ukrainian government organizations as early as December 2023. APT28 was the Ukrainian government’s chief suspect at the time.
APT28 and ITG05’s objectives are typically dedicated to obtaining access to adversarial systems, reconnaissance, and intelligence collection.
Conclusion:
The ongoing ITG05 campaign shares significant APT28 activities and tactics, and highlights the sophisticated and persistent nature of Russian state-sponsored cyber operations. This campaign's wide geographical scope and targeting of government and non-governmental organizations underline a strategic approach aimed at intelligence gathering, influencing geopolitical landscapes, and advancing Russian state interests.
The diverse themes of the phishing lures, ranging from finance and infrastructure to geopolitical events, demonstrate ITG05's adaptability and targeted approach to engaging different victim profiles. The use of the MASEPIE backdoor, in particular, points to a focused effort on maintaining persistent access to high-value targets for long-term espionage and data exfiltration activities.
