The Russian GRU-affiliated threat actor APT28 has been linked to a series of campaigns aimed at networks across Europe, employing the HeadLace malware and credential-harvesting web pages.
APT28, also identified by names such as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group tied to Russia’s military intelligence agency, the GRU.
This hacking collective operates with remarkable stealth and sophistication, showcasing their adaptability through meticulous preparation and custom tools. They often utilize legitimate internet services (LIS) and living off-the-land binaries (LOLBins) to blend their activities into regular network traffic.
“From April to December 2023, BlueDelta deployed HeadLace malware in three distinct phases, utilizing geofencing techniques to target networks throughout Europe, with a significant emphasis on Ukraine,” Recorded Future’s Insikt Group reported.
“BlueDelta’s espionage endeavors are part of a broader strategy to gather intelligence on entities of military importance to Russia amidst its ongoing aggression against Ukraine.”
HeadLace, previously documented by the Computer Emergency Response Team of Ukraine (CERT-UA), Zscaler, Proofpoint, and IBM X-Force, is disseminated through spear-phishing emails containing malicious links. When clicked, these links trigger a multi-stage infection process to deliver the malware.
In the first phase, BlueDelta employed a seven-stage infrastructure chain to deliver a malicious Windows BAT script (i.e., HeadLace) capable of downloading and executing additional shell commands, contingent on sandbox and geofencing checks.
The second phase, commencing on September 28, 2023, utilized GitHub as the initial point of the redirection infrastructure. By the third phase, starting October 17, 2023, they shifted to using PHP scripts hosted on InfinityFree.
“The last detected activity in phase three occurred in December 2023,” the report stated. “Since then, BlueDelta likely discontinued using InfinityFree hosting, opting for hosting infrastructure on webhook[.]site and mocky[.]io directly.”
BlueDelta has also conducted credential harvesting operations targeting services such as Yahoo! and UKR[.]net by deploying lookalike pages to deceive victims into entering their credentials.
One technique involved creating dedicated web pages on Mocky that interact with a Python script on compromised Ubiquiti routers to exfiltrate entered credentials. In February, a U.S.-led law enforcement operation disrupted a botnet comprising Ubiquiti EdgeRouters utilized by APT28 for this purpose.
Targets of the credential harvesting activity included the Ukrainian Ministry of Defence, Ukrainian arms import and export companies, European railway infrastructure, and a think tank based in Azerbaijan.
“Infiltrating networks associated with Ukraine’s Ministry of Defence and European railway systems could enable BlueDelta to gather intelligence potentially influencing battlefield tactics and broader military strategies,” Recorded Future explained.
“Moreover, BlueDelta’s interest in the Azerbaijan Center for Economic and Social Development indicates an agenda to comprehend and potentially influence regional policies.”
This development coincides with another Russian state-sponsored threat group, Turla, being observed using human rights seminar invitations as phishing email decoys to deploy a payload akin to the TinyTurla backdoor via the Microsoft Build Engine (MSBuild).