The Russian-linked hacker group Fancy Bear, also known as APT28 and Sednit, is targeting arms suppliers to Ukraine, including companies in Bulgaria, according to a report by the security firm ESET, writes Cyberscoop. The campaign, ongoing since 2023, employs vulnerabilities in webmail software like Roundcube, Horde, MDaemon, and Zimbra to access communications and emails of executives at arms firms and government officials in multiple countries. The latest detected attack was on April 17.

ESET reports that Fancy Bear has leveraged a combination of spearphishing and cross-site scripting to exploit both zero-day and known vulnerabilities in these webmail clients. Among the vulnerabilities used is CVE-2024-11182, which ESET researchers suspect may have been developed or obtained by the group. The exploit was initially observed in emails sent to two Ukrainian state-owned defense companies and a civilian air transport firm in November 2024.

In 2024, the victims of these cyberattacks included defense companies in Bulgaria and Romania producing Soviet-era weapons, as well as Ukrainian military and government officials, regional authorities in Greece, Cameroon, and Serbia, and military personnel in Ecuador. Additionally, phishing attempts targeted the email accounts of high-ranking Ukrainians and defense sector executives, aiming to extract sensitive information regarding military supplies and operations.

The report suggests that the primary focus of Fancy Bear's campaign is to collect intelligence on Ukraine’s defense sector while also targeting entities in Latin America, the European Union, and Africa. According to ESET senior malware researcher Matthieu Faou, the group appears to be the sole threat actor using the identified exploit, indicating that it may have developed the capability internally or procured it from third-party vendors.

ESET detected at least 17 targeted organizations in the ongoing campaign. The hackers employed spearphishing emails that imitated legitimate Ukrainian news reports about the war, with subjects such as “SBU arrested a banker working for Russian military intelligence in Kharkiv” and “Putin seeks Trump’s acceptance of Russian conditions.” These lures were designed to prompt recipients to click malicious links or open compromised webmail pages.

Once the targeted email clients were compromised, a custom JavaScript payload was deployed to steal data from the email accounts, including login credentials, address book contacts, and message history. In some cases, attackers also managed to exfiltrate two-factor authentication information, potentially bypassing security measures. The malware is not persistent and relies on the victim reopening the malicious email to reload the attack code.

French authorities also recently accused Fancy Bear of targeting French institutions, claiming that the group attempted to disrupt French elections in 2017 and continued cyberattacks against various entities through 2021. The French Ministry for Europe and Foreign Affairs warned of ongoing Russian cyber activities aimed at destabilizing European partners.

ESET researchers remain vigilant, closely monitoring Fancy Bear’s operations for emerging threats and potential new exploits in webmail applications. The group’s efforts to compromise Ukrainian military suppliers and other regional entities underscore its continued focus on intelligence gathering amid the Russia-Ukraine conflict.