The cybersecurity threat actor APT28 believed to be supported by the Russian GRU has been identified as the culprit behind several cyber campaigns targeting networks in Europe using the HeadLace malware and fake web pages to steal credentials.
APT28, also known by various aliases like BlueDelta, Fancy Bear, and Sednit, is a highly advanced group associated with Russia’s GRU intelligence unit, known for its stealthy and sophisticated attacks using custom tools and legitimate Internet services to cover their tracks.
“Between April and December 2023, BlueDelta used geofencing techniques to deploy the Headlace malware in multiple phases, focusing heavily on Ukraine,” said Recorded Future’s Insikt Group.
The activities of BlueDelta highlight a broader strategic goal of gathering intelligence on targets crucial to Russia’s interests, especially in the context of its involvement in Ukraine.
The HeadLace malware, which has been previously documented by several cybersecurity firms, is typically distributed through spear-phishing emails containing malicious links that lead to a multi-stage infection process.
BlueDelta employed a complex infrastructure to distribute the HeadLace malware, involving different stages and techniques to evade detection.
In addition to malware attacks, BlueDelta has been conducting credential harvesting operations targeting organizations in Ukraine and Europe, using fake web pages to trick victims into entering their login credentials.
Recorded Future pointed out that infiltrating networks related to Ukraine’s Ministry of Defence and European railway systems could provide valuable intelligence for shaping military strategies. The group’s interest in other entities suggests a broader agenda beyond just data theft.
Meanwhile, another Russian threat group called Turla has been observed using similar tactics to target victims through phishing emails, highlighting the ongoing cyber threats originating from Russia.
