urlscan.io logo urlscan.io
SecurityTrails logo

therecord.media Open in urlscan Pro
2606:4700:4400::ac40:9b4b  Public Scan

Back to summary
URL: https://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email?_hsmi=273151540&_hsenc=p2ANqtz-9zOUMGN3wv5N...
Submission: On September 08 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept


 * Leadership
 * Cybercrime
 * Nation-state
 * People
 * Technology

 * Mobile App
 * About
 * Podcast
 * Contact

Go


SUBSCRIBE TO THE RECORD

Subscribe

Image: Jared Phillips via Unsplash
Daryna AntoniukSeptember 5th, 2023
 * Nation-state
 * News
 * Malware
 * Industry

 * 
 * 
 * 
 * 
 * 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.


UKRAINE SAYS AN ENERGY FACILITY DISRUPTED A FANCY BEAR INTRUSION

An infamous Russian cyberespionage group was caught attacking a critical energy
facility in Ukraine, a government agency said on Tuesday.

A cybersecurity expert working for the targeted organization thwarted the
attack, according to the report from Ukraine’s computer emergency response team
(CERT-UA). The agency attributed the incident to Kremlin-controlled hackers
known as Fancy Bear or APT28.

CERT-UA said the group targeted an unspecified energy facility in Ukraine, using
phishing emails to gain initial access to the targeted systems. Fancy Bear is
believed to be associated with the Russian military intelligence agency GRU, and
its history includes the attack on the U.S. Democratic National Committee during
the 2016 elections.

The content of the malicious email was unusual. In past attacks, Russian hackers
typically faked government documents or, in the case of Fancy Bear, distributed
bogus software update advisories.

However, this time, the email shared by CERT-UA included three images and the
following message: "Hi! I talked to three girls, and they agreed. Their photos
are in the archive; I suggest checking them out on the website."

In addition to these images, the archive also contains a file in BAT format. BAT
files are scripts used in Windows to automate various tasks.

When the victim runs this file, it opens a few fake web pages that are meant to
look innocent, but it executes a harmful script on the targeted device.

The attackers also installed Tor on the victim's computer, researchers said. The
software allows anonymous internet browsing by routing network traffic through a
network of volunteer-operated servers, making it challenging to trace the data's
source.

In the recent attack, an employee identified the cyberthreat and took steps to
respond, CERT-UA said. They restricted access to certain web resources related
to the Mockbin service, a tool used for testing and development, the report
said. Fancy Bear has used Mockbin in the past to target Ukrainian government
agencies.

Additionally, the energy facility blocked the use of Windows Script Host, a
system for automating tasks in the Windows operating system, CERT-UA said.

CERT-UA has not disclosed any information about the hackers' specific target. It
has been some time since Ukrainian authorities publicly reported an attack on
the country's energy infrastructure. Last fall, Ukraine experienced a
combination of missile strikes and cyberattacks on its energy infrastructure, as
Russia aimed to disrupt the country's power supply.

The onslaught resulted in the destruction of power plants, major transmission
lines, and substations, leading to daily blackouts lasting for several hours.

The attacks stopped with the arrival of warmer weather, but there are concerns
that new blackouts may occur this upcoming fall, as Russia is reportedly
preparing its arsenal for such actions. The potential impact on cyberspace
activity remains to be seen.

 * 
 * 
 * 
 * 
 * 

Tags
 * Russia
 * Ukraine
 * Critical Infrastructure
 * energy
 * Fancy Bear
 * APT28


DARYNA ANTONIUK



Daryna Antoniuk is a freelance reporter for Recorded Future News based in
Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe
and the state of the cyberwar between Ukraine and Russia. She previously was a
tech reporter for Forbes Ukraine. Her work has also been published at Sifted,
The Kyiv Independent and The Kyiv Post.

Previous articleNext article
FBI’s Qakbot operation opens door for more botnet takedowns
NSA, Cyber Command recently wrapped studies on AI use, director says


BRIEFS

 * FTC settles with genetic testing firm accused of violating customer
   privacySeptember 8th, 2023
 * Multiple nation-state hackers targeted aerospace company, CISA saysSeptember
   8th, 2023
 * Alleged LockBit attack shuts down city networks in SevilleSeptember 7th, 2023
 * GPU-thirsty hackers target architects, designers with cryptomining
   malwareSeptember 7th, 2023
 * Microsoft details a chain of mishaps leading to Outlook hack on government
   officialsSeptember 6th, 2023
 * House GOP members blast new SEC cyber incident disclosure rulesSeptember 6th,
   2023
 * Easterly: CISA wrapping up cyber incident reporting ruleSeptember 6th, 2023
 * Minneapolis school district says data breach affected more than 100,000
   peopleSeptember 6th, 2023
 * NSA, Cyber Command recently wrapped studies on AI use, director saysSeptember
   5th, 2023


EMPIRE DRAGON ACCELERATES COVERT INFORMATION OPERATIONS, CONVERGES WITH RUSSIAN
NARRATIVES


Empire Dragon Accelerates Covert Information Operations, Converges with Russian
Narratives


CONVERGING NARRATIVES ON HAWAII WILDFIRES ADVANCE DIFFERENT INFLUENCERS’
OBJECTIVES


Converging Narratives on Hawaii Wildfires Advance Different Influencers’
Objectives


MALIGN NARRATIVES OPPOSE “THE VOICE” AHEAD OF AUSTRALIA’S REFERENDUM


Malign Narratives Oppose “the Voice” Ahead of Australia’s Referendum


H1 2023: RANSOMWARE'S PIVOT TO LINUX AND VULNERABLE DRIVERS


H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers


THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN
SECURITY DEFENSES


Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken
Security Defenses
 * 
 * 
 * 
 * 

 * Privacy Policy

© Copyright 2023 | The Record from Recorded Future News